feat(refresh tokens): authenticateWithRefreshToken() method

Author: MaximeMRF

bin/test.ts

@@ -1,11 +1,12 @@
 import { assert } from '@japa/assert'
+import { fileSystem } from '@japa/file-system'
 import { configure, processCLIArgs, run } from '@japa/runner'
 
 processCLIArgs(process.argv.splice(2))
 
 configure({
   files: ['tests/**/*.spec.ts'],
-  plugins: [assert()],
+  plugins: [assert(), fileSystem()],
 })
 
 run()

package.json

@@ -42,6 +42,7 @@
     "@adonisjs/prettier-config": "^1.4.4",
     "@adonisjs/tsconfig": "^1.4.0",
     "@japa/assert": "^4.0.1",
+    "@japa/file-system": "^2.3.2",
     "@japa/runner": "^4.2.0",
     "@swc/core": "1.11.24",
     "@types/node": "^22.15.18",
@@ -52,6 +53,7 @@
     "luxon": "^3.4.4",
     "np": "^10.0.0",
     "prettier": "^3.5.3",
+    "sqlite3": "^5.1.7",
     "timekeeper": "^2.3.1",
     "ts-node-maintained": "^10.9.5",
     "typescript": "~5.8"

src/define_config.ts

@@ -7,6 +7,7 @@ import type { StringValue } from 'ms'
 
 export function jwtGuard<UserProvider extends JwtUserProviderContract<unknown>>(config: {
   provider: UserProvider
+  refreshTokenUserProvider?: any
   tokenName?: string
   tokenExpiresIn?: number | StringValue
   useCookies?: boolean
@@ -18,6 +19,7 @@ export function jwtGuard<UserProvider extends JwtUserProviderContract<unknown>>(
       const appKey = (app.config.get('app.appKey') as Secret<string>).release()
       const options = {
         secret: config.secret ?? appKey,
+        refreshTokenUserProvider: config.refreshTokenUserProvider,
         tokenName: config.tokenName,
         expiresIn: config.tokenExpiresIn,
         useCookies: config.useCookies,

src/jwt.ts

@@ -3,12 +3,14 @@ import { AuthClientResponse, GuardContract } from '@adonisjs/auth/types'
 import type { HttpContext } from '@adonisjs/core/http'
 import jwt from 'jsonwebtoken'
 import { JwtUserProviderContract, JwtGuardOptions } from './types.js'
+import { Secret } from '@adonisjs/core/helpers'
 
 export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
   implements GuardContract<UserProvider[typeof symbols.PROVIDER_REAL_USER]>
 {
   #ctx: HttpContext
   #userProvider: UserProvider
+  #refreshTokenUserProvider?: any
   #options: JwtGuardOptions<UserProvider[typeof symbols.PROVIDER_REAL_USER]>
   #tokenName: string
 
@@ -20,6 +22,7 @@ export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
     this.#ctx = ctx
     this.#userProvider = userProvider
     this.#options = option
+    this.#refreshTokenUserProvider = this.#options.refreshTokenUserProvider
     if (!this.#options.content) this.#options.content = (user) => ({ userId: user.getId() })
     this.#tokenName = this.#options.tokenName ?? 'token'
   }
@@ -171,6 +174,75 @@ export class JwtGuard<UserProvider extends JwtUserProviderContract<unknown>>
     return this.getUserOrFail()
   }
 
+  async authenticateWithRefreshToken(): Promise<
+    UserProvider[typeof symbols.PROVIDER_REAL_USER] & { currentToken: string }
+  > {
+    /**
+     * Ensure the refresh token user provider is defined
+     */
+    if (!this.#refreshTokenUserProvider) {
+      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+        guardDriverName: this.driverName,
+      })
+    }
+
+    /**
+     * Avoid re-authentication when it has been done already
+     * for the given request
+     */
+    if (this.authenticationAttempted) {
+      return this.getUserOrFail()
+    }
+    this.authenticationAttempted = true
+
+    /**
+     * Ensure the auth header exists
+     */
+    const authHeader = this.#ctx.request.header('authorization')
+    if (!authHeader) {
+      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+        guardDriverName: this.driverName,
+      })
+    }
+
+    /**
+     * Split the header value and read the token from it
+     */
+    const [, refreshToken] = authHeader!.split('Bearer ')
+    if (!refreshToken) {
+      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+        guardDriverName: this.driverName,
+      })
+    }
+
+    const accessToken = await this.#refreshTokenUserProvider.verifyToken(new Secret(refreshToken))
+
+    /**
+     * Fetch the user by user ID and save a reference to it
+     */
+    const providerUser = await this.#userProvider.findById(accessToken.tokenableId)
+    if (!providerUser) {
+      throw new errors.E_UNAUTHORIZED_ACCESS('Unauthorized access', {
+        guardDriverName: this.driverName,
+      })
+    }
+
+    /**
+     * Generate a new JWT token for the user
+     */
+    const { token }: any = await this.generate(providerUser.getOriginal())
+    this.isAuthenticated = true
+    this.user = providerUser.getOriginal() as UserProvider[typeof symbols.PROVIDER_REAL_USER] & {
+      currentToken: string
+    }
+
+    if (!this.#options.useCookies) {
+      this.user!.currentToken = token
+    }
+
+    return this.getUserOrFail()
+  }
+
   /**
    * Same as authenticate, but does not throw an exception
    */

src/types.ts

@@ -46,6 +46,7 @@ export type BaseJwtContent = {
 
 export type JwtGuardOptions<RealUser extends any = unknown> = {
   secret: string
+  refreshTokenUserProvider?: any
   tokenName?: string
   expiresIn?: number | StringValue
   useCookies?: boolean

tests/guard.spec.ts

@@ -6,8 +6,72 @@ import { errors } from '@adonisjs/auth'
 import { JwtAuthFakeUser, JwtFakeUserProvider } from '../factories/main.js'
 import jwt from 'jsonwebtoken'
 import { timeTravel } from '../tests/helpers.js'
+import { BaseModel, column } from '@adonisjs/lucid/orm'
+import { DbAccessTokensProvider } from '@adonisjs/auth/access_tokens'
+import { createDatabase, createTables } from '../tests/helpers.js'
+import { tokensUserProvider } from '@adonisjs/auth/access_tokens'
 
 test.group('Jwt guard | authenticate', () => {
+  test('it should return a jwt token when user is authenticated with refresh token', async ({ assert }) => {
+    const ctx = new HttpContextFactory().create()
+    const userProvider = new JwtFakeUserProvider()
+
+    const db = await createDatabase()
+    await createTables(db)
+
+    const guard = new JwtGuard(ctx, userProvider, {
+      secret: 'thisisasecret',
+      refreshTokenUserProvider: tokensUserProvider({
+        tokens: 'refreshTokens',
+        async model() {
+          return {
+            default: User,
+          }
+        },
+      }),
+    })
+
+    class User extends BaseModel {
+      @column({ isPrimary: true })
+      declare id: number
+
+      @column()
+      declare username: string
+
+      @column()
+      declare email: string
+
+      @column()
+      declare password: string
+
+      static refreshTokens = DbAccessTokensProvider.forModel(User, {
+        prefix: 'rt_',
+        table: 'jwt_refresh_tokens',
+        type: 'auth_token',
+        tokenSecretLength: 40,
+      })
+    }
+
+    const user = await User.create({
+      email: '[email protected]',
+      username: 'max',
+      password: 'secret',
+    })
+
+    const refreshToken = await User.refreshTokens.create(user)
+
+    ctx.request.request.headers.authorization = `Bearer ${refreshToken.value?.release()}`
+
+    const userAuthenticated = await guard.authenticateWithRefreshToken()
+
+    assert.isTrue(guard.isAuthenticated)
+    assert.isTrue(guard.authenticationAttempted)
+    assert.equal(guard.user, userAuthenticated)
+    assert.deepEqual(guard.getUserOrFail(), userAuthenticated)
+    assert.exists(userAuthenticated.currentToken)
+    assert.exists(refreshToken.value?.release())
+  })
+
   test('it should return a token when user is authenticated', async ({ assert }) => {
     const ctx = new HttpContextFactory().create()
     const userProvider = new JwtFakeUserProvider()

tests/helpers.ts

@@ -1,5 +1,12 @@
 import timekeeper from 'timekeeper'
 import { getActiveTest } from '@japa/runner'
+import { BaseModel } from '@adonisjs/lucid/orm'
+import { AppFactory } from '@adonisjs/core/factories/app'
+import { mkdir, rm } from 'node:fs/promises'
+import { join } from 'node:path'
+import { Emitter } from '@adonisjs/core/events'
+import { LoggerFactory } from '@adonisjs/core/factories/logger'
+import { Database } from '@adonisjs/lucid/database'
 
 /**
  * Travels time by seconds
@@ -39,3 +46,120 @@ export function freezeTime() {
     timekeeper.reset()
   })
 }
+
+/**
+ * Creates an instance of the database class for making queries
+ */
+export async function createDatabase() {
+  const test = getActiveTest()
+  if (!test) {
+    throw new Error('Cannot use "createDatabase" outside of a Japa test')
+  }
+
+  const basePath = test.context.fs.basePath
+  await mkdir(basePath)
+
+  const app = new AppFactory().create(test.context.fs.baseUrl, () => {})
+  const logger = new LoggerFactory().create()
+  const emitter = new Emitter(app)
+  const db = new Database(
+    {
+      connection: process.env.DB || 'sqlite',
+      connections: {
+        sqlite: {
+          client: 'sqlite3',
+          connection: {
+            filename: join(test.context.fs.basePath, 'db.sqlite3'),
+          },
+        },
+        pg: {
+          client: 'pg',
+          connection: {
+            host: process.env.PG_HOST as string,
+            port: Number(process.env.PG_PORT),
+            database: process.env.PG_DATABASE as string,
+            user: process.env.PG_USER as string,
+            password: process.env.PG_PASSWORD as string,
+          },
+        },
+        mssql: {
+          client: 'mssql',
+          connection: {
+            server: process.env.MSSQL_HOST as string,
+            port: Number(process.env.MSSQL_PORT! as string),
+            user: process.env.MSSQL_USER as string,
+            password: process.env.MSSQL_PASSWORD as string,
+            database: 'master',
+            options: {
+              enableArithAbort: true,
+            },
+          },
+        },
+        mysql: {
+          client: 'mysql2',
+          connection: {
+            host: process.env.MYSQL_HOST as string,
+            port: Number(process.env.MYSQL_PORT),
+            database: process.env.MYSQL_DATABASE as string,
+            user: process.env.MYSQL_USER as string,
+            password: process.env.MYSQL_PASSWORD as string,
+          },
+        },
+      },
+    },
+    logger,
+    emitter
+  )
+
+  test.cleanup(async () => {
+    db.manager.closeAll()
+    await rm(basePath, { force: true, recursive: true, maxRetries: 3 })
+  })
+  BaseModel.useAdapter(db.modelAdapter())
+  return db
+}
+
+/**
+ * Creates needed database tables
+ */
+export async function createTables(db: Database) {
+  const test = getActiveTest()
+  if (!test) {
+    throw new Error('Cannot use "createTables" outside of a Japa test')
+  }
+
+  test.cleanup(async () => {
+    await db.connection().schema.dropTable('users')
+    await db.connection().schema.dropTable('jwt_refresh_tokens')
+    await db.connection().schema.dropTable('remember_me_tokens')
+  })
+
+  await db.connection().schema.createTable('jwt_refresh_tokens', (table) => {
+    table.increments()
+    table.integer('tokenable_id').notNullable().unsigned()
+    table.string('type').notNullable()
+    table.string('name').nullable()
+    table.string('hash', 80).notNullable()
+    table.text('abilities').notNullable()
+    table.timestamp('created_at', { precision: 6, useTz: true }).notNullable()
+    table.timestamp('updated_at', { precision: 6, useTz: true }).notNullable()
+    table.timestamp('expires_at', { precision: 6, useTz: true }).nullable()
+    table.timestamp('last_used_at', { precision: 6, useTz: true }).nullable()
+  })
+
+  await db.connection().schema.createTable('users', (table) => {
+    table.increments()
+    table.string('username').unique().notNullable()
+    table.string('email').unique().notNullable()
+    table.string('password').nullable()
+  })
+
+  await db.connection().schema.createTable('remember_me_tokens', (table) => {
+    table.increments()
+    table.integer('tokenable_id').notNullable().unsigned()
+    table.string('hash', 80).notNullable()
+    table.timestamp('created_at', { precision: 6, useTz: true }).notNullable()
+    table.timestamp('updated_at', { precision: 6, useTz: true }).notNullable()
+    table.timestamp('expires_at', { precision: 6, useTz: true }).notNullable()
+  })
+}