fix: use fresh user data when refreshing sessions (#75)

Author: nicknisi

src/session.spec.ts

@@ -743,6 +743,20 @@ describe('session', () => {
         authenticateWithRefreshToken.mockResolvedValue({
           accessToken: 'new.valid.token',
           refreshToken: 'new.refresh.token',
+          user: {
+            object: 'user',
+            id: 'user-1',
+            email: 'test@example.com',
+            emailVerified: true,
+            profilePictureUrl: null,
+            firstName: 'Test',
+            lastName: 'User',
+            lastSignInAt: '2021-01-01T00:00:00Z',
+            createdAt: '2021-01-01T00:00:00Z',
+            updatedAt: '2021-01-01T00:00:00Z',
+            externalId: null,
+          },
+          impersonator: undefined,
         } as AuthenticationResponse);
 
         // Mock different JWT decoding results for expired vs new token
@@ -907,6 +921,20 @@ describe('session', () => {
       authenticateWithRefreshToken.mockResolvedValue({
         accessToken: 'new.valid.token',
         refreshToken: 'new.refresh.token',
+        user: {
+          object: 'user',
+          id: 'user-1',
+          email: 'test@example.com',
+          emailVerified: true,
+          profilePictureUrl: null,
+          firstName: 'Test',
+          lastName: 'User',
+          lastSignInAt: '2021-01-01T00:00:00Z',
+          createdAt: '2021-01-01T00:00:00Z',
+          updatedAt: '2021-01-01T00:00:00Z',
+          externalId: null,
+        },
+        impersonator: undefined,
       } as AuthenticationResponse);
 
       // Mock JWT decoding

src/session.ts

@@ -45,17 +45,18 @@ export async function refreshSession(request: Request, { organizationId }: { org
   }
 
   try {
-    const { accessToken, refreshToken } = await getWorkOS().userManagement.authenticateWithRefreshToken({
-      clientId: getConfig('clientId'),
-      refreshToken: session.refreshToken,
-      organizationId,
-    });
+    const { accessToken, refreshToken, user, impersonator } =
+      await getWorkOS().userManagement.authenticateWithRefreshToken({
+        clientId: getConfig('clientId'),
+        refreshToken: session.refreshToken,
+        organizationId,
+      });
 
     const newSession = {
       accessToken,
       refreshToken,
-      user: session.user,
-      impersonator: session.impersonator,
+      user,
+      impersonator,
       headers: {} as Record<string, string>,
     };
 
@@ -76,14 +77,14 @@ export async function refreshSession(request: Request, { organizationId }: { org
     } = getClaimsFromAccessToken(accessToken);
 
     return {
-      user: session.user,
+      user,
       sessionId,
       accessToken,
       organizationId: newOrgId,
       role,
       permissions,
       entitlements,
-      impersonator: session.impersonator || null,
+      impersonator: impersonator ?? null,
       sealedSession: cookieSession.get('jwt'),
       headers: newSession.headers,
     };
@@ -117,20 +118,21 @@ async function updateSession(request: Request, debug: boolean) {
 
     const { organizationId } = getClaimsFromAccessToken(session.accessToken);
     // If the session is invalid (i.e. the access token has expired) attempt to re-authenticate with the refresh token
-    const { accessToken, refreshToken } = await getWorkOS().userManagement.authenticateWithRefreshToken({
-      clientId: getConfig('clientId'),
-      refreshToken: session.refreshToken,
-      organizationId,
-    });
+    const { accessToken, refreshToken, user, impersonator } =
+      await getWorkOS().userManagement.authenticateWithRefreshToken({
+        clientId: getConfig('clientId'),
+        refreshToken: session.refreshToken,
+        organizationId,
+      });
 
     // istanbul ignore next
     if (debug) console.log(`Refresh successful. New access token ends in ${accessToken.slice(-10)}`);
 
     const newSession = {
       accessToken,
       refreshToken,
-      user: session.user,
-      impersonator: session.impersonator,
+      user,
+      impersonator,
       headers: {},
     };