fix:add exp logic in jwt strategy

Signed-off-by: shitrerohit <[email protected]>

Author: shitrerohit

apps/api-gateway/src/authz/jwt.strategy.ts

@@ -1,17 +1,18 @@
 import * as dotenv from 'dotenv';
+import * as jwt from 'jsonwebtoken';
 
 import { ExtractJwt, Strategy } from 'passport-jwt';
-import { Injectable, Logger, UnauthorizedException, NotFoundException } from '@nestjs/common';
+import { Injectable, Logger, NotFoundException, UnauthorizedException } from '@nestjs/common';
 
+import { AuthzService } from './authz.service';
+import { CommonConstants } from '@credebl/common/common.constant';
+import { IOrganization } from '@credebl/common/interfaces/organization.interface';
 import { JwtPayload } from './jwt-payload.interface';
+import { OrganizationService } from '../organization/organization.service';
 import { PassportStrategy } from '@nestjs/passport';
+import { ResponseMessages } from '@credebl/common/response-messages';
 import { UserService } from '../user/user.service';
-import * as jwt from 'jsonwebtoken';
 import { passportJwtSecret } from 'jwks-rsa';
-import { CommonConstants } from '@credebl/common/common.constant';
-import { OrganizationService } from '../organization/organization.service';
-import { IOrganization } from '@credebl/common/interfaces/organization.interface';
-import { ResponseMessages } from '@credebl/common/response-messages';
 
 dotenv.config();
 
@@ -21,15 +22,20 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
 
   constructor(
     private readonly usersService: UserService,
-    private readonly organizationService: OrganizationService
-    ) {
-
+    private readonly organizationService: OrganizationService,
+    private readonly authzService: AuthzService
+  ) {
     super({
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
-      secretOrKeyProvider: (request, jwtToken, done) => {
+      secretOrKeyProvider: async (request, jwtToken, done) => {
+        // Todo: We need to add this logic in seprate jwt gurd to handle the token expiration functionality.
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         const decodedToken: any = jwt.decode(jwtToken);
-
+        const currentTime = Math.floor(Date.now() / 1000);
+        if (decodedToken?.exp < currentTime) {
+          const sessionIds = { sessions: [decodedToken?.sid] };
+          await this.authzService.logout(sessionIds);
+        }
         if (!decodedToken) {
           throw new UnauthorizedException(ResponseMessages.user.error.invalidAccessToken);
         }
@@ -49,26 +55,25 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
         });
       },
       algorithms: ['RS256']
-    });  
+    });
   }
 
   async validate(payload: JwtPayload): Promise<object> {
-
     let userDetails = null;
     let userInfo;
 
     if (payload?.email) {
       userInfo = await this.usersService.getUserByUserIdInKeycloak(payload?.email);
     }
-    
+
     if (payload.hasOwnProperty('client_id')) {
       const orgDetails: IOrganization = await this.organizationService.findOrganizationOwner(payload['client_id']);
-      
+
       this.logger.log('Organization details fetched');
       if (!orgDetails) {
         throw new NotFoundException(ResponseMessages.organisation.error.orgNotFound);
       }
-  
+
       // eslint-disable-next-line prefer-destructuring
       const userOrgDetails = 0 < orgDetails.userOrgRoles.length && orgDetails.userOrgRoles[0];
 
@@ -83,11 +88,10 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
       });
 
       this.logger.log('User details set');
-
     } else {
       userDetails = await this.usersService.findUserinKeycloak(payload.sub);
     }
-    
+
     if (!userDetails) {
       throw new NotFoundException(ResponseMessages.user.error.notFound);
     }

apps/user/interfaces/user.interface.ts

@@ -182,6 +182,7 @@ export interface IUserSignIn {
 }
 
 export interface ISession {
+  id?: string;
   sessionToken?: string;
   userId?: string;
   expires?: number;

apps/user/repositories/user.repository.ts

@@ -681,6 +681,7 @@ export class UserRepository {
       const { sessionToken, userId, expires, refreshToken, accountId, sessionType } = tokenDetails;
       const sessionResponse = await this.prisma.session.create({
         data: {
+          id: tokenDetails.id,
           sessionToken,
           expires,
           userId,
@@ -959,7 +960,7 @@ export class UserRepository {
     }
   }
 
-  async deleteSessionRecordByRefreshToken(sessionId: string): Promise<session> {
+  async deleteSession(sessionId: string): Promise<session> {
     try {
       const userSession = await this.prisma.session.delete({
         where: {

apps/user/src/user.service.ts

@@ -449,9 +449,7 @@ export class UserService {
     try {
       this.validateEmail(email.toLowerCase());
       const userData = await this.userRepository.checkUserExist(email.toLowerCase());
-
       const userSessionDetails = await this.userRepository.fetchUserSessions(userData?.id);
-
       if (Number(process.env.SESSIONS_LIMIT) <= userSessionDetails?.length) {
         throw new BadRequestException(ResponseMessages.user.error.sessionLimitReached);
       }
@@ -475,8 +473,10 @@ export class UserService {
       } else {
         const decryptedPassword = await this.commonService.decryptPassword(password);
         const tokenDetails = await this.generateToken(email.toLowerCase(), decryptedPassword, userData);
-
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const decodedToken: any = jwt.decode(tokenDetails?.access_token);
         const sessionData = {
+          id: decodedToken.sid,
           sessionToken: tokenDetails?.access_token,
           userId: userData?.id,
           expires: tokenDetails?.expires_in,
@@ -553,7 +553,7 @@ export class UserService {
           throw new NotFoundException(ResponseMessages.user.error.userSeesionNotFound);
         }
         // Delete previous session
-        const deletePreviousSession = await this.userRepository.deleteSessionRecordByRefreshToken(sessionDetails.id);
+        const deletePreviousSession = await this.userRepository.deleteSession(sessionDetails.id);
         if (!deletePreviousSession) {
           throw new InternalServerErrorException(ResponseMessages.user.error.errorInDeleteSession);
         }