andrechristikan · Gzerox · Jul 24, 2025 · Jul 27, 2025 · Aug 1, 2025
diff --git a/src/modules/auth/controllers/auth.public.controller.ts b/src/modules/auth/controllers/auth.public.controller.ts
@@ -173,7 +173,8 @@ export class AuthPublicController {
 
             const token = this.authService.createToken(
                 userWithRole,
-                session._id
+                session._id,
+                session.jti
             );
 
             await this.databaseService.commitTransaction(databaseSession);
@@ -257,7 +258,8 @@ export class AuthPublicController {
 
             const token = this.authService.createToken(
                 userWithRole,
-                session._id
+                session._id,
+                session.jti
             );
 
             return {
@@ -338,7 +340,8 @@ export class AuthPublicController {
 
             const token = this.authService.createToken(
                 userWithRole,
-                session._id
+                session._id,
+                session.jti
             );
 
             return {

diff --git a/src/modules/auth/controllers/auth.shared.controller.ts b/src/modules/auth/controllers/auth.shared.controller.ts
@@ -48,6 +48,8 @@ import {
     IAuthJwtAccessTokenPayload,
     IAuthJwtRefreshTokenPayload,
 } from '@modules/auth/interfaces/auth.interface';
+import { v4 as uuidV4 } from 'uuid';
+import { SessionJtiProtected } from '@modules/session/decorators/session.jti.decorator';
 
 @ApiTags('modules.shared.auth')
 @Controller({
@@ -69,6 +71,7 @@ export class AuthSharedController {
 
     @AuthSharedRefreshDoc()
     @Response('auth.refresh')
+    @SessionJtiProtected()
     @UserProtected()
     @AuthJwtRefreshProtected()
     @ApiKeyProtected()
@@ -77,23 +80,57 @@ export class AuthSharedController {
     async refresh(
         @AuthJwtToken() refreshToken: string,
         @AuthJwtPayload<IAuthJwtRefreshTokenPayload>()
-        { user: userFromPayload, session }: IAuthJwtRefreshTokenPayload
+        {
+            user: userFromPayload,
+            session: sessionId,
+        }: IAuthJwtRefreshTokenPayload
     ): Promise<IResponse<AuthRefreshResponseDto>> {
-        const checkActive = await this.sessionService.findLoginSession(session);
+        const checkActive =
+            await this.sessionService.findLoginSession(sessionId);
         if (!checkActive) {
             throw new UnauthorizedException({
                 statusCode: ENUM_SESSION_STATUS_CODE_ERROR.NOT_FOUND,
                 message: 'session.error.notFound',
             });
         }
 
-        const user: IUserDoc =
-            await this.userService.findOneActiveById(userFromPayload);
-        const token = this.authService.refreshToken(user, refreshToken);
+        const dbSession: ClientSession =
+            await this.databaseService.createTransaction();
+        try {
+            const activeSession = await this.sessionService.findOneActiveById(
+                sessionId,
+                { session: dbSession }
+            );
+            const session = await this.sessionService.updateJti(
+                activeSession,
+                uuidV4(),
+                { session: dbSession }
+            );
+
+            const user: IUserDoc = await this.userService.findOneActiveById(
+                userFromPayload,
+                { session: dbSession }
+            );
+            const token = this.authService.refreshToken(
+                user,
+                refreshToken,
+                session.jti
+            );
+
+            await this.databaseService.commitTransaction(dbSession);
 
-        return {
-            data: token,
-        };
+            return {
+                data: token,
+            };
+        } catch (err: unknown) {
+            await this.databaseService.abortTransaction(dbSession);
+
+            throw new InternalServerErrorException({
+                statusCode: ENUM_APP_STATUS_CODE_ERROR.UNKNOWN,
+                message: 'http.serverError.internalServerError',
+                _error: err,
+            });
+        }
     }
 
     @AuthSharedChangePasswordDoc()

diff --git a/src/modules/auth/interfaces/auth.interface.ts b/src/modules/auth/interfaces/auth.interface.ts
@@ -34,6 +34,7 @@ export interface IAuthJwtAccessTokenPayload {
     termPolicy: IAuthJwtTermPolicyPayload;
     verification: IAuthJwtVerificationPayload;
     type: ENUM_POLICY_ROLE_TYPE;
+    jti?: string;
     iat?: number;
     nbf?: number;
     exp?: number;

diff --git a/src/modules/auth/interfaces/auth.service.interface.ts b/src/modules/auth/interfaces/auth.service.interface.ts
@@ -13,21 +13,23 @@ import { AuthLoginResponseDto } from '@modules/auth/dtos/response/auth.login.res
 export interface IAuthService {
     createAccessToken(
         subject: string,
-        payload: IAuthJwtAccessTokenPayload
+        payload: IAuthJwtAccessTokenPayload,
+        jwtid: string
     ): string;
     validateAccessToken(subject: string, token: string): boolean;
     payload<T = any>(token: string): T;
     createRefreshToken(
         subject: string,
-        payload: IAuthJwtRefreshTokenPayload
+        payload: IAuthJwtRefreshTokenPayload,
+        jti: string
     ): string;
     validateRefreshToken(subject: string, token: string): boolean;
     validateUser(passwordString: string, passwordHash: string): boolean;
     createPayloadAccessToken(
         data: IUserDoc,
         session: string,
         loginDate: Date,
-        loginFrom: ENUM_AUTH_LOGIN_FROM
+        loginFrom: ENUM_AUTH_LOGIN_FROM,
     ): IAuthJwtAccessTokenPayload;
     createPayloadRefreshToken({
         user,
@@ -42,10 +44,15 @@ export interface IAuthService {
     ): IAuthPassword;
     createPasswordRandom(): string;
     checkPasswordExpired(passwordExpired: Date): boolean;
-    createToken(user: IUserDoc, session: string): AuthLoginResponseDto;
+    createToken(
+        user: IUserDoc,
+        session: string,
+        jti: string
+    ): AuthLoginResponseDto;
     refreshToken(
         user: IUserDoc,
-        refreshTokenFromRequest: string
+        refreshTokenFromRequest: string,
+        jti: string
     ): AuthLoginResponseDto;
     getPasswordAttempt(): boolean;
     getPasswordMaxAttempt(): number;

diff --git a/src/modules/auth/services/auth.service.ts b/src/modules/auth/services/auth.service.ts
@@ -21,6 +21,7 @@
 import { readFileSync } from 'fs';
 import { JwtService, JwtSignOptions } from '@nestjs/jwt';
 import { join } from 'path';
+import { v4 as uuidV4 } from 'uuid';
 
 @Injectable()
 export class AuthService implements IAuthService {
@@ -153,7 +154,8 @@
 
     createAccessToken(
         subject: string,
-        payload: IAuthJwtAccessTokenPayload
+        payload: IAuthJwtAccessTokenPayload,
+        jwtid: string
     ): string {
         return this.jwtService.sign(payload, {
             privateKey: this.jwtAccessTokenPrivateKey,
@@ -163,6 +165,7 @@
             subject,
             algorithm: this.jwtAlgorithm,
             keyid: this.jwtAccessTokenKid,
+            jwtid: jwtid,
         } as JwtSignOptions);
     }
 
@@ -188,7 +191,8 @@
 
     createRefreshToken(
         subject: string,
-        payload: IAuthJwtRefreshTokenPayload
+        payload: IAuthJwtRefreshTokenPayload,
+        jti: string
     ): string {
         return this.jwtService.sign(payload, {
             privateKey: this.jwtRefreshTokenPrivateKey,
@@ -198,6 +202,7 @@
             subject,
             algorithm: this.jwtAlgorithm,
             keyid: this.jwtRefreshTokenKid,
+            jwtid: jti
         } as JwtSignOptions);
     }
 
@@ -228,7 +233,7 @@
         data: IUserDoc,
         session: string,
         loginDate: Date,
-        loginFrom: ENUM_AUTH_LOGIN_FROM
+        loginFrom: ENUM_AUTH_LOGIN_FROM,
     ): IAuthJwtAccessTokenPayload {
         return {
             user: data._id,
@@ -306,7 +311,11 @@
         return today > passwordExpiredConvert;
     }
 
-    createToken(user: IUserDoc, session: string): AuthLoginResponseDto {
+    createToken(
+        user: IUserDoc,
+        session: string,
+        jti: string
+    ): AuthLoginResponseDto {
         const loginDate = this.helperDateService.create();
         const roleType = user.role.type;
 
@@ -315,18 +324,20 @@
                 user,
                 session,
                 loginDate,
-                ENUM_AUTH_LOGIN_FROM.CREDENTIAL
+                ENUM_AUTH_LOGIN_FROM.CREDENTIAL,
             );
         const accessToken: string = this.createAccessToken(
             user._id,
-            payloadAccessToken
+            payloadAccessToken,
+            jti
         );
 
         const payloadRefreshToken: IAuthJwtRefreshTokenPayload =
             this.createPayloadRefreshToken(payloadAccessToken);
         const refreshToken: string = this.createRefreshToken(
             user._id,
-            payloadRefreshToken
+            payloadRefreshToken,
+            jti
         );
 
         return {
@@ -340,7 +351,8 @@
 
     refreshToken(
         user: IUserDoc,
-        refreshTokenFromRequest: string
+        refreshTokenFromRequest: string,
+        jti: string
     ): AuthLoginResponseDto {
         const roleType = user.role.type;
 
@@ -356,7 +368,8 @@
             );
         const accessToken: string = this.createAccessToken(
             user._id,
-            payloadAccessToken
+            payloadAccessToken,
+            jti
         );
 
         return {

diff --git a/src/modules/session/decorators/session.jti.decorator.ts b/src/modules/session/decorators/session.jti.decorator.ts
@@ -0,0 +1,6 @@
+import { applyDecorators, UseGuards } from '@nestjs/common';
+import { SessionJtiGuard } from '@modules/session/guards/session.jti.guard';
+
+export function SessionJtiProtected(): MethodDecorator {
+    return applyDecorators(UseGuards(SessionJtiGuard));
+}
diff --git a/src/modules/session/enums/session.status-code.enum.ts b/src/modules/session/enums/session.status-code.enum.ts
@@ -2,4 +2,5 @@ export enum ENUM_SESSION_STATUS_CODE_ERROR {
     NOT_FOUND = 5070,
     EXPIRED = 5071,
     FORBIDDEN_REVOKE = 5072,
+    INVALID_JTI = 5080
 }
diff --git a/src/modules/session/guards/session.jti.guard.ts b/src/modules/session/guards/session.jti.guard.ts
@@ -0,0 +1,52 @@
+import {
+    CanActivate,
+    ExecutionContext,
+    Injectable,
+    UnauthorizedException,
+} from '@nestjs/common';
+import { SessionService } from '@modules/session/services/session.service';
+import { Reflector } from '@nestjs/core';
+import { ENUM_SESSION_STATUS_CODE_ERROR } from '@modules/session/enums/session.status-code.enum';
+import { IRequestApp } from '@common/request/interfaces/request.interface';
+import { IAuthJwtRefreshTokenPayload } from '@modules/auth/interfaces/auth.interface';
+
+@Injectable()
+export class SessionJtiGuard implements CanActivate {
+    constructor(
+        private readonly sessionService: SessionService,
+        private readonly reflector: Reflector
+    ) {}
+
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        const request = context
+            .switchToHttp()
+            .getRequest<IRequestApp<IAuthJwtRefreshTokenPayload>>();
+        const user = request.user;
+
+        if (!user || !user.session || !user.jti) {
+            throw new UnauthorizedException({
+                statusCode: ENUM_SESSION_STATUS_CODE_ERROR.NOT_FOUND,
+                message: 'session.error.notFound',
+            });
+        }
+
+        const session = await this.sessionService.findOneActiveById(
+            user.session
+        );
+        if (!session) {
+            throw new UnauthorizedException({
+                statusCode: ENUM_SESSION_STATUS_CODE_ERROR.NOT_FOUND,
+                message: 'session.error.notFound',
+            });
+        }
+
+        if (session.jti !== user.jti) {
+            throw new UnauthorizedException({
+                statusCode: ENUM_SESSION_STATUS_CODE_ERROR.INVALID_JTI,
+                message: 'session.error.invalidJti',
+            });
+        }
+
+        return true;
+    }
+}
diff --git a/src/modules/session/interfaces/session.service.interface.ts b/src/modules/session/interfaces/session.service.interface.ts
@@ -4,7 +4,7 @@ import {
     IDatabaseDeleteManyOptions,
     IDatabaseFindAllOptions,
     IDatabaseGetTotalOptions,
-    IDatabaseOptions,
+    IDatabaseOptions, IDatabaseSaveOptions,
     IDatabaseUpdateManyOptions,
 } from '@common/database/interfaces/database.interface';
 import { SessionCreateRequestDto } from '@modules/session/dtos/request/session.create.request.dto';
@@ -59,6 +59,11 @@ export interface ISessionService {
     setLoginSession(user: IUserDoc, session: SessionDoc): Promise<void>;
     deleteLoginSession(_id: string): Promise<void>;
     resetLoginSession(): Promise<void>;
+    updateJti(
+        repository: SessionDoc,
+        jti: string,
+        options?: IDatabaseSaveOptions
+    ): Promise<SessionDoc>
     updateRevoke(
         repository: SessionDoc,
         options?: IDatabaseOptions

diff --git a/src/modules/session/repository/entities/session.entity.ts b/src/modules/session/repository/entities/session.entity.ts
@@ -36,6 +36,14 @@ export class SessionEntity extends DatabaseUUIDEntityBase {
     })
     user: string;
 
+    @DatabaseProp({
+        required: true,
+        index: true,
+        trim: true,
+        type: String,
+    })
+    jti: string;
+
     @DatabaseProp({
         required: true,
         trim: true,