feat: improve token handling and validation (#690)

Initialize Token and Refresh Token instances inside schemes. Both classes now use scheme options instead of `$auth`. Also move token and refresh token prefixes to scheme `DEFAULTS`.

Improve `check` method to also check tokens status, deprecating `_checkStatus`. Return object with token and refresh token expired status.
```js
{
  valid: boolean,
  tokenExpired: boolean,
  refreshTokenExpired: boolean,
  isRefreshable: boolean
}
```
**Note:** `valid` is the only required property.

Alias `HTTPRequest` to `AxiosRequestConfig` and `HTTPResponse` to `AxiosResponse`.

RequestHandler class now use scheme options and methods instead of `$auth`.

Author: JoaoPedroAS51

demo/pages/secure.vue

@@ -15,14 +15,14 @@
           Test: <b-badge>{{ $auth.hasScope('test') }}</b-badge>
           Admin: <b-badge>{{ $auth.hasScope('admin') }}</b-badge>
         </b-card>
-        <b-card title="token" class="mb-2">
+        <b-card v-if="$auth.strategy.token" title="token" class="mb-2">
           <div style="white-space: nowrap; overflow: auto">
-            {{ $auth.token.get() || '-' }}
+            {{ $auth.strategy.token.get() || '-' }}
           </div>
         </b-card>
-        <b-card title="refresh token">
+        <b-card v-if="$auth.strategy.refreshToken" title="refresh token">
           <div style="white-space: nowrap; overflow: auto">
-            {{ $auth.refreshToken.get() || '-' }}
+            {{ $auth.strategy.refreshToken.get() || '-' }}
           </div>
         </b-card>
       </b-col>

src/core/auth.ts

@@ -1,6 +1,4 @@
 import { routeOption, isRelativeURL, isSet, isSameURL, getProp } from '../utils'
-import RefreshToken from '../inc/refresh-token'
-import Token from '../inc/token'
 import type { AuthOptions, HTTPRequest, HTTPResponse } from '../'
 import Storage from './storage'
 
@@ -10,9 +8,6 @@ export default class Auth {
   public strategies = {}
   public error: Error
 
-  public token: Token
-  public refreshToken: RefreshToken
-
   private _errorListeners = []
   private _redirectListeners = []
   private _stateWarnShown: boolean
@@ -30,10 +25,6 @@ export default class Auth {
     const storage = new Storage(ctx, options)
     this.$storage = storage
     this.$state = storage.state
-
-    // Token & Refresh Token
-    this.token = new Token(this)
-    this.refreshToken = new RefreshToken(this)
   }
 
   async init () {
@@ -180,7 +171,7 @@ export default class Auth {
 
   setUserToken (token) {
     if (!this.strategy.setUserToken) {
-      this.token.set(token)
+      this.strategy.token.set(token)
       return Promise.resolve()
     }
 
@@ -193,8 +184,8 @@ export default class Auth {
   reset (...args) {
     if (!this.strategy.reset) {
       this.setUser(false)
-      this.token.reset()
-      this.refreshToken.reset()
+      this.strategy.token.reset()
+      this.strategy.refreshToken.reset()
     }
 
     return this.strategy.reset(...args)
@@ -223,15 +214,12 @@ export default class Auth {
     return this.$state.loggedIn
   }
 
-  check () {
-    let loggedIn = Boolean(this.$state.user)
-
-    if (loggedIn && typeof this.strategy.check === 'function') {
-      loggedIn = this.strategy.check()
+  check (...args) {
+    if (!this.strategy.check) {
+      return { valid: true }
     }
 
-    this.$storage.setState('loggedIn', loggedIn)
-    return loggedIn
+    return this.strategy.check(...args)
   }
 
   fetchUserOnce (...args) {
@@ -243,7 +231,16 @@ export default class Auth {
 
   setUser (user) {
     this.$storage.setState('user', user)
-    this.check()
+
+    let check = { valid: Boolean(user) }
+
+    // If user is defined, perform scheme checks.
+    if (check.valid) {
+      check = this.check()
+    }
+
+    // Update `loggedIn` state
+    this.$storage.setState('loggedIn', check.valid)
   }
 
   // ---------------------------------------------------------------
@@ -254,7 +251,7 @@ export default class Auth {
     return this.$storage.getState('busy')
   }
 
-  request (endpoint: HTTPRequest, defaults = {}): Promise<HTTPResponse> {
+  request (endpoint: HTTPRequest, defaults: HTTPRequest = {}): Promise<HTTPResponse> {
     const _endpoint =
       typeof defaults === 'object'
         ? Object.assign({}, defaults, endpoint)
@@ -278,7 +275,7 @@ export default class Auth {
   }
 
   requestWith (strategy: string, endpoint: HTTPRequest, defaults?: HTTPRequest): Promise<HTTPResponse> {
-    const token = this.token.get()
+    const token = this.strategy.token.get()
 
     const _endpoint = Object.assign({}, defaults, endpoint)
 

src/core/middleware.ts

@@ -23,27 +23,20 @@ export default async function authMiddleware (ctx) {
       ctx.$auth.redirect('home')
     }
 
-    if (ctx.$auth.strategy &&
-      ctx.$auth.strategy.options.token &&
-      ctx.$auth.strategy.options.token.required) {
-      // Sync tokens
-      ctx.$auth.token.sync()
-      const refreshToken = ctx.$auth.refreshToken.sync()
-      const tokenStatus = ctx.$auth.token.status()
-      const refreshTokenStatus = ctx.$auth.refreshToken.status()
+    // Perform scheme checks.
+    const { tokenExpired, refreshTokenExpired, isRefreshable } = ctx.$auth.check(true)
 
-      // Refresh token has expired. There is no way to refresh. Force reset.
-      if (refreshTokenStatus.expired()) {
-        await ctx.$auth.reset()
-      } else if (tokenStatus.expired()) {
-        // Token has expired.
-        if (refreshToken) {
-          // Refresh token is available. Attempt refresh.
-          await ctx.$auth.refreshTokens()
-        } else {
-          // Refresh token is not available. Force reset.
-          await ctx.$auth.reset()
-        }
+    // Refresh token has expired. There is no way to refresh. Force reset.
+    if (refreshTokenExpired) {
+      ctx.$auth.reset()
+    } else if (tokenExpired) {
+      // Token has expired. Check if refresh token is available.
+      if (isRefreshable) {
+        // Refresh token is available. Attempt refresh.
+        await ctx.$auth.refreshTokens()
+      } else {
+        // Refresh token is not available. Force reset.
+        ctx.$auth.reset()
       }
     }
 

src/inc/refresh-token.ts

@@ -1,37 +1,40 @@
 import jwtDecode, { InvalidTokenError } from 'jwt-decode'
 import { addTokenPrefix } from '../utils'
-import type { Auth } from '../'
+import type { Scheme } from '../'
+import Storage from '../core/storage'
 import TokenStatus from './token-status'
 
 export default class RefreshToken {
-  public $auth: Auth
+  public scheme: Scheme
+  public $storage: Storage
 
-  constructor (auth: Auth) {
-    this.$auth = auth
+  constructor (scheme: Scheme, storage: Storage) {
+    this.scheme = scheme
+    this.$storage = storage
   }
 
   _getExpiration () {
-    const _key = this.$auth.options.refreshTokenExpiration.prefix + this.$auth.strategy.name
+    const _key = this.scheme.options.refreshToken.expirationPrefix + this.scheme.name
 
-    return this.$auth.$storage.getUniversal(_key)
+    return this.$storage.getUniversal(_key)
   }
 
   _setExpiration (expiration) {
-    const _key = this.$auth.options.refreshTokenExpiration.prefix + this.$auth.strategy.name
+    const _key = this.scheme.options.refreshToken.expirationPrefix + this.scheme.name
 
-    return this.$auth.$storage.setUniversal(_key, expiration)
+    return this.$storage.setUniversal(_key, expiration)
   }
 
   _syncExpiration () {
-    const _key = this.$auth.options.refreshTokenExpiration.prefix + this.$auth.strategy.name
+    const _key = this.scheme.options.refreshToken.expirationPrefix + this.scheme.name
 
-    return this.$auth.$storage.syncUniversal(_key)
+    return this.$storage.syncUniversal(_key)
   }
 
   _updateExpiration (refreshToken) {
     let refreshTokenExpiration
     const _tokenIssuedAtMillis = Date.now()
-    const _tokenTTLMillis = this.$auth.strategy.options.refreshToken.maxAge * 1000
+    const _tokenTTLMillis = this.scheme.options.refreshToken.maxAge * 1000
     const _tokenExpiresAtMillis = _tokenTTLMillis ? _tokenIssuedAtMillis + _tokenTTLMillis : 0
 
     try {
@@ -50,25 +53,25 @@ export default class RefreshToken {
   }
 
   _setToken (refreshToken) {
-    const _key = this.$auth.options.refreshToken.prefix + this.$auth.strategy.name
+    const _key = this.scheme.options.refreshToken.prefix + this.scheme.name
 
-    return this.$auth.$storage.setUniversal(_key, refreshToken)
+    return this.$storage.setUniversal(_key, refreshToken)
   }
 
   _syncToken () {
-    const _key = this.$auth.options.refreshToken.prefix + this.$auth.strategy.name
+    const _key = this.scheme.options.refreshToken.prefix + this.scheme.name
 
-    return this.$auth.$storage.syncUniversal(_key)
+    return this.$storage.syncUniversal(_key)
   }
 
   get () {
-    const _key = this.$auth.options.refreshToken.prefix + this.$auth.strategy.name
+    const _key = this.scheme.options.refreshToken.prefix + this.scheme.name
 
-    return this.$auth.$storage.getUniversal(_key)
+    return this.$storage.getUniversal(_key)
   }
 
   set (tokenValue) {
-    const refreshToken = addTokenPrefix(tokenValue, this.$auth.strategy.options.refreshToken.type)
+    const refreshToken = addTokenPrefix(tokenValue, this.scheme.options.refreshToken.type)
 
     this._setToken(refreshToken)
     this._updateExpiration(refreshToken)