refactor refresh-auth route

mpfeil · mpfeil · commit 94ccf867f4aa · 2024-12-20T13:42:10.000+01:00
diff --git a/packages/api/lib/controllers/usersController.js b/packages/api/lib/controllers/usersController.js
@@ -5,14 +5,15 @@ const { InternalServerError, ForbiddenError } = require('restify-errors'),
   {
     checkContentType,
     redactEmail,
-    postToMattermost,
+    postToMattermost
   } = require('../helpers/apiUtils'),
   { retrieveParameters } = require('../helpers/userParamHelpers'),
   handleError = require('../helpers/errorHandler'),
   {
     createToken,
     refreshJwt,
     invalidateToken,
+    verifyJwtAndRefreshToken
   } = require('../helpers/jwtHelpers');
 const { findDeviceById } = require('@sensebox/opensensemap-api-models/src/box/box');
 const { findDevicesByUserId } = require('@sensebox/opensensemap-api-models/src/device');
@@ -149,6 +150,10 @@ const signIn = async function signIn (req, res) {
  */
 const refreshJWT = async function refreshJWT (req, res) {
   try {
+    // Check if refreshToken matches JWT Token
+    await verifyJwtAndRefreshToken(req._userParams.token, req._jwtString);
+
+    // Now it´s time to refresh the JWT and invalidate the old one
     const { token, refreshToken, user } = await refreshJwt(
       req._userParams.token
     );
diff --git a/packages/api/lib/helpers/jwtHelpers.js b/packages/api/lib/helpers/jwtHelpers.js
@@ -89,7 +89,10 @@ const verifyJwt = function verifyJwt (req, res, next) {
     return next(new ForbiddenError(jwtInvalidErrorMessage));
   }
 
-  jwt.verify(jwtString, jwt_secret, jwtVerifyOptions, async function (err, decodedJwt) {
+  jwt.verify(jwtString, jwt_secret, {
+    ...jwtVerifyOptions,
+    ignoreExpiration: req.url === '/users/refresh-auth' ? true : false // ignore expiration for refresh endpoint
+  }, async function (err, decodedJwt) {
     if (err) {
       return next(new ForbiddenError(jwtInvalidErrorMessage));
     }
@@ -118,9 +121,20 @@ const verifyJwt = function verifyJwt (req, res, next) {
   });
 };
 
+const verifyJwtAndRefreshToken = async function verifyJwtAndRefreshToken (refreshToken, jwtString) {
+  if (refreshToken !== hashJWT(jwtString)) {
+    return Promise.reject(
+      new ForbiddenError(
+        'Refresh token invalid or too old. Please sign in with your username and password.'
+      )
+    );
+  }
+};
+
 module.exports = {
   createToken,
   invalidateToken,
   refreshJwt,
-  verifyJwt
+  verifyJwt,
+  verifyJwtAndRefreshToken
 };
diff --git a/packages/api/lib/routes.js b/packages/api/lib/routes.js
@@ -93,10 +93,10 @@ const routes = {
     { path: `${usersPath}/request-password-reset`, method: 'post', handler: usersController.requestResetPassword, reference: 'api-Users-request-password-reset' },
     { path: `${usersPath}/password-reset`, method: 'post', handler: usersController.resetPassword, reference: 'api-Users-password-reset' },
     { path: `${usersPath}/confirm-email`, method: 'post', handler: usersController.confirmEmailAddress, reference: 'api-Users-confirm-email' },
-    { path: `${usersPath}/sign-in`, method: 'post', handler: usersController.signIn, reference: 'api-Users-sign-in' },
-    { path: `${usersPath}/refresh-auth`, method: 'post', handler: usersController.refreshJWT, reference: 'api-Users-refresh-auth' }
+    { path: `${usersPath}/sign-in`, method: 'post', handler: usersController.signIn, reference: 'api-Users-sign-in' }
   ],
   'auth': [
+    { path: `${usersPath}/refresh-auth`, method: 'post', handler: usersController.refreshJWT, reference: 'api-Users-refresh-auth' },
     { path: `${usersPath}/me`, method: 'get', handler: usersController.getUser, reference: 'api-Users-getUser' },
     { path: `${usersPath}/me`, method: 'put', handler: usersController.updateUser, reference: 'api-Users-updateUser' },
     { path: `${usersPath}/me/boxes`, method: 'get', handler: usersController.getUserBoxes, reference: 'api-Users-getUserBoxes' },
