destroy all user refresh tokens on logout

This commit is contained in:
Joseph Ditton 2021-12-06 17:57:04 -07:00
parent cc0f32a75f
commit f00547de09
4 changed files with 10 additions and 6 deletions

View File

@ -12,7 +12,7 @@ export const useJwtRefresh = (authToken, setAuthToken) => {
} else { } else {
setAuthToken(null); setAuthToken(null);
} }
}, 60000 * 10); // 10 minutes }, 60000 * 0.5); // 10 minutes
} }
return () => clearTimeout(refreshTimer.current); return () => clearTimeout(refreshTimer.current);
}, [authToken]); }, [authToken]);

View File

@ -25,14 +25,14 @@ export class RefreshTokensController {
const tokenBody = this.jwtService.parseRefreshToken(refreshToken) as RefreshTokenBody; const tokenBody = this.jwtService.parseRefreshToken(refreshToken) as RefreshTokenBody;
const user = await this.usersService.find(tokenBody.userId, ['refreshTokens', 'userRoles']); const user = await this.usersService.find(tokenBody.userId, ['refreshTokens', 'userRoles']);
const userRoles = await this.rolesService.findByIds(user.userRoles.map((ur) => ur.roleId)); const roles = await this.rolesService.findByIds(user.userRoles.map((ur) => ur.roleId));
const userRefreshToken = user.refreshTokens.find((t) => t.id === tokenBody.id); const userRefreshToken = user.refreshTokens.find((t) => t.id === tokenBody.id);
if (!userRefreshToken) { if (!userRefreshToken) {
throw new HttpException('User refresh token not found', 401); throw new HttpException('User refresh token not found', 401);
} }
const token = this.jwtService.issueToken({ userId: user.id, roles: userRoles.map((r) => r.key) }); const token = this.jwtService.issueToken({ userId: user.id, roles: roles.map((r) => r.key) });
return { token }; return { token };
} }
} }

View File

@ -8,6 +8,8 @@ import { RefreshToken } from 'server/entities/refresh_token.entity';
import { Skip } from 'server/decorators/skip.decorator'; import { Skip } from 'server/decorators/skip.decorator';
import { AuthGuard } from 'server/providers/guards/auth.guard'; import { AuthGuard } from 'server/providers/guards/auth.guard';
import { RolesService } from 'server/providers/services/roles.service'; import { RolesService } from 'server/providers/services/roles.service';
import { JwtBody } from 'server/decorators/jwt_body.decorator';
import { JwtBodyDto } from 'server/dto/jwt_body.dto';
// this is kind of a misnomer because we are doing token based auth // this is kind of a misnomer because we are doing token based auth
// instead of session based auth // instead of session based auth
@ -53,7 +55,9 @@ export class SessionsController {
} }
@Delete('/sessions') @Delete('/sessions')
async destroy(@Res({ passthrough: true }) res: Response) { async destroy(@Res({ passthrough: true }) res: Response, @JwtBody() jwtBody: JwtBodyDto) {
const user = await this.usersService.find(jwtBody.userId, ['refreshTokens']);
await this.refreshTokenService.destroy(...user.refreshTokens);
res.clearCookie('_refresh_token'); res.clearCookie('_refresh_token');
return { success: true }; return { success: true };
} }

View File

@ -14,7 +14,7 @@ export class RefreshTokensService {
return this.refreshTokenRespository.save(refreshToken); return this.refreshTokenRespository.save(refreshToken);
} }
destroy(refreshToken: RefreshToken) { destroy(...refreshTokens: RefreshToken[]) {
return this.refreshTokenRespository.remove(refreshToken); return this.refreshTokenRespository.remove(refreshTokens);
} }
} }