refacto(refresh token)

Author: MaximeMRF

src/define_config.ts

@@ -4,10 +4,11 @@ import { JwtGuardUser, JwtUserProviderContract } from './types.js'
 import { JwtGuard } from './jwt.js'
 import { Secret } from '@adonisjs/core/helpers'
 import type { StringValue } from 'ms'
+import { AccessTokensUserProviderContract } from '@adonisjs/auth/types/access_tokens'
 
 export function jwtGuard<UserProvider extends JwtUserProviderContract<unknown>>(config: {
   provider: UserProvider
-  refreshTokenUserProvider?: any
+  refreshTokenUserProvider?: AccessTokensUserProviderContract<UserProvider>
   tokenName?: string
   tokenExpiresIn?: number | StringValue
   useCookies?: boolean

src/jwt.ts

@@ -4,13 +4,16 @@ import type { HttpContext } from '@adonisjs/core/http'
 import jwt from 'jsonwebtoken'
 import { JwtUserProviderContract, JwtGuardOptions } from './types.js'
 import { Secret } from '@adonisjs/core/helpers'
+import { AccessTokensUserProviderContract } from '@adonisjs/auth/types/access_tokens'
 
 export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
   implements GuardContract<UserProvider[typeof symbols.PROVIDER_REAL_USER]>
 {
   #ctx: HttpContext
   #userProvider: UserProvider
-  #refreshTokenUserProvider?: any
+  #refreshTokenUserProvider?: AccessTokensUserProviderContract<
+    UserProvider[typeof symbols.PROVIDER_REAL_USER]
+  >
   #options: JwtGuardOptions<UserProvider[typeof symbols.PROVIDER_REAL_USER]>
   #tokenName: string
 
@@ -216,30 +219,47 @@ export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
 
     const accessToken = await this.#refreshTokenUserProvider.verifyToken(new Secret(refreshToken))
 
+    if (!accessToken) {
+      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+        guardDriverName: this.driverName,
+      })
+    }
+
     /**
      * Fetch the user by user ID
      */
-    const providerUser = await this.#userProvider.findById(accessToken.tokenableId)
-    console.log('providerUser', providerUser?.getOriginal())
+    const providerUser = await this.#refreshTokenUserProvider.findById(accessToken.tokenableId)
     if (!providerUser) {
       throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
         guardDriverName: this.driverName,
       })
     }
 
-    /**
-     * Generate a new JWT token for the user
-     */
-    const { token }: any = await this.generate(providerUser.getOriginal())
     this.isAuthenticated = true
     this.user = providerUser.getOriginal() as UserProvider[typeof symbols.PROVIDER_REAL_USER] & {
       currentToken: string
     }
 
-    if (!this.#options.useCookies) {
-      this.user!.currentToken = token
+    /**
+     * Delete the refresh token from the database
+     */
+    const isDeleted = await this.#refreshTokenUserProvider.invalidateToken(new Secret(refreshToken))
+    if (!isDeleted) {
+      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+        guardDriverName: this.driverName,
+      })
     }
 
+    const newRefreshToken = await this.#refreshTokenUserProvider.createToken(this.user)
+
+    if (!newRefreshToken.value) {
+      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+        guardDriverName: this.driverName,
+      })
+    }
+
+    this.user.currentToken = newRefreshToken.value?.release()
+
     return this.getUserOrFail()
   }
 

src/types.ts

@@ -1,5 +1,6 @@
 import { symbols } from '@adonisjs/auth'
 import type { StringValue } from 'ms'
+import { AccessTokensUserProviderContract } from '@adonisjs/auth/types/access_tokens'
 
 /**
  * The bridge between the User provider and the
@@ -46,7 +47,7 @@ export type BaseJwtContent = {
 
 export type JwtGuardOptions<RealUser extends any = unknown> = {
   secret: string
-  refreshTokenUserProvider?: any
+  refreshTokenUserProvider?: AccessTokensUserProviderContract<RealUser>
   tokenName?: string
   expiresIn?: number | StringValue
   useCookies?: boolean

tests/guard.spec.ts

@@ -349,25 +349,13 @@ test.group('Jwt guard | authenticate', () => {
       })
     }
 
-    await User.createMany([
-      {
-        email: '[email protected]',
-        username: 'john',
-        password: 'password',
-      },
-      {
-        email: '[email protected]',
-        username: 'jane',
-        password: 'password',
-      },
-    ])
-
     const user = await User.create({
       email: '[email protected]',
       username: 'maxime',
       password: 'password',
     })
     const refreshToken = await User.refreshTokens.create(user)
+    await user.delete()
     ctx.request.request.headers.authorization = `Bearer ${refreshToken.value?.release()}`
     const [result] = await Promise.allSettled([guard.authenticateWithRefreshToken()])
     assert.equal(result!.status, 'rejected')
@@ -380,6 +368,56 @@ test.group('Jwt guard | authenticate', () => {
     assert.isTrue(guard.authenticationAttempted)
   })
 
+  test('throw error when the refresh token is invalid', async ({ assert }) => {
+    const ctx = new HttpContextFactory().create()
+    const userProvider = new JwtFakeUserProvider()
+    const db = await createDatabase()
+    await createTables(db)
+    const guard = new JwtGuard(ctx, userProvider, {
+      secret: 'thisisasecret',
+      refreshTokenUserProvider: tokensUserProvider({
+        tokens: 'refreshTokens',
+        async model() {
+          return {
+            default: User,
+          }
+        },
+      }),
+    })
+
+    class User extends BaseModel {
+      @column({ isPrimary: true })
+      declare id: number
+
+      @column()
+      declare username: string
+
+      @column()
+      declare email: string
+
+      @column()
+      declare password: string
+
+      static refreshTokens = DbAccessTokensProvider.forModel(User, {
+        prefix: 'rt_',
+        table: 'jwt_refresh_tokens',
+        type: 'jwt_refresh_token',
+        tokenSecretLength: 40,
+      })
+    }
+
+    ctx.request.request.headers.authorization = `Bearer abcd`
+    const [result] = await Promise.allSettled([guard.authenticateWithRefreshToken()])
+    assert.equal(result!.status, 'rejected')
+    if (result!.status === 'rejected') {
+      assert.instanceOf(result!.reason, errors.E_UNAUTHORIZED_ACCESS)
+    }
+    assert.isUndefined(guard.user)
+    assert.throws(() => guard.getUserOrFail(), 'Unauthorized access')
+    assert.isFalse(guard.isAuthenticated)
+    assert.isTrue(guard.authenticationAttempted)
+  })
+
   test('it should return a token when user is authenticated', async ({ assert }) => {
     const ctx = new HttpContextFactory().create()
     const userProvider = new JwtFakeUserProvider()