From f00547de095ea6aafe9e0054dbf700fb69df33af Mon Sep 17 00:00:00 2001 From: Joseph Ditton Date: Mon, 6 Dec 2021 17:57:04 -0700 Subject: [PATCH] destroy all user refresh tokens on logout --- client/utils/use_jwt_refresh.js | 2 +- server/controllers/refresh_tokens.controller.ts | 4 ++-- server/controllers/sessions.controller.ts | 6 +++++- server/providers/services/refresh_tokens.service.ts | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/client/utils/use_jwt_refresh.js b/client/utils/use_jwt_refresh.js index 11d4122..b2233b8 100644 --- a/client/utils/use_jwt_refresh.js +++ b/client/utils/use_jwt_refresh.js @@ -12,7 +12,7 @@ export const useJwtRefresh = (authToken, setAuthToken) => { } else { setAuthToken(null); } - }, 60000 * 10); // 10 minutes + }, 60000 * 0.5); // 10 minutes } return () => clearTimeout(refreshTimer.current); }, [authToken]); diff --git a/server/controllers/refresh_tokens.controller.ts b/server/controllers/refresh_tokens.controller.ts index 6aa696f..efa9035 100644 --- a/server/controllers/refresh_tokens.controller.ts +++ b/server/controllers/refresh_tokens.controller.ts @@ -25,14 +25,14 @@ export class RefreshTokensController { const tokenBody = this.jwtService.parseRefreshToken(refreshToken) as RefreshTokenBody; const user = await this.usersService.find(tokenBody.userId, ['refreshTokens', 'userRoles']); - const userRoles = await this.rolesService.findByIds(user.userRoles.map((ur) => ur.roleId)); + const roles = await this.rolesService.findByIds(user.userRoles.map((ur) => ur.roleId)); const userRefreshToken = user.refreshTokens.find((t) => t.id === tokenBody.id); if (!userRefreshToken) { throw new HttpException('User refresh token not found', 401); } - const token = this.jwtService.issueToken({ userId: user.id, roles: userRoles.map((r) => r.key) }); + const token = this.jwtService.issueToken({ userId: user.id, roles: roles.map((r) => r.key) }); return { token }; } } diff --git a/server/controllers/sessions.controller.ts b/server/controllers/sessions.controller.ts index e1d1155..8a85a12 100644 --- a/server/controllers/sessions.controller.ts +++ b/server/controllers/sessions.controller.ts @@ -8,6 +8,8 @@ import { RefreshToken } from 'server/entities/refresh_token.entity'; import { Skip } from 'server/decorators/skip.decorator'; import { AuthGuard } from 'server/providers/guards/auth.guard'; import { RolesService } from 'server/providers/services/roles.service'; +import { JwtBody } from 'server/decorators/jwt_body.decorator'; +import { JwtBodyDto } from 'server/dto/jwt_body.dto'; // this is kind of a misnomer because we are doing token based auth // instead of session based auth @@ -53,7 +55,9 @@ export class SessionsController { } @Delete('/sessions') - async destroy(@Res({ passthrough: true }) res: Response) { + async destroy(@Res({ passthrough: true }) res: Response, @JwtBody() jwtBody: JwtBodyDto) { + const user = await this.usersService.find(jwtBody.userId, ['refreshTokens']); + await this.refreshTokenService.destroy(...user.refreshTokens); res.clearCookie('_refresh_token'); return { success: true }; } diff --git a/server/providers/services/refresh_tokens.service.ts b/server/providers/services/refresh_tokens.service.ts index e085129..2349b23 100644 --- a/server/providers/services/refresh_tokens.service.ts +++ b/server/providers/services/refresh_tokens.service.ts @@ -14,7 +14,7 @@ export class RefreshTokensService { return this.refreshTokenRespository.save(refreshToken); } - destroy(refreshToken: RefreshToken) { - return this.refreshTokenRespository.remove(refreshToken); + destroy(...refreshTokens: RefreshToken[]) { + return this.refreshTokenRespository.remove(refreshTokens); } }