Thream/api
Archived
2
1
Fork 0
Code Issues Pull Requests Releases Activity

feat: make JWT refreshTokens more secure

Browse Source 
Don't store the token itself in the database, store a UUID, and when refreshing the accessToken, verify the token and verify that in the payload there is a corresponding UUID stored in the database
This commit is contained in:
Divlo
2022-08-29 17:26:43 +00:00
parent b71da7dcc9
commit 7e305429b4
8 changed files with 75 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/services/users/refresh-token/__test__/post.test.ts
View File

@ -1,5 +1,6 @@
import tap from 'tap'
import sinon from 'sinon'
import jwt from 'jsonwebtoken'
import { application } from '../../../../application.js'
import { authenticateUserTest } from '../../../../__test__/utils/authenticateUserTest.js'
@ -13,8 +14,7 @@ await tap.test('POST /users/refresh-token', async (t) => {
})
await t.test('succeeds', async (t) => {
const { accessToken, refreshToken, refreshTokenStubValue } =
await authenticateUserTest()
const { refreshToken, refreshTokenStubValue } = await authenticateUserTest()
sinon.stub(prisma, 'refreshToken').value({
...refreshTokenStubValue,
findFirst: async () => {
@ -28,9 +28,6 @@ await tap.test('POST /users/refresh-token', async (t) => {
const response = await application.inject({
method: 'POST',
url: '/users/refresh-token',
headers: {
authorization: `Bearer ${accessToken}`
},
payload: { refreshToken }
})
const responseJson = response.json()
@ -62,6 +59,9 @@ await tap.test('POST /users/refresh-token', async (t) => {
return refreshTokenExample
}
})
sinon.stub(jwt, 'verify').value(() => {
throw new Error('Invalid token')
})
const response = await application.inject({
method: 'POST',
url: '/users/refresh-token',