Removed renewing refresh token. Added validate endpoint for tokens. Refresh token is given only if 'remember me' option is enabled on login.

2025-06-17 16:38:51 +00:00
parent c7ece75e7a
commit 6b010f66ba
7 changed files with 195 additions and 114 deletions
--- a/backend/nestjs-seshat-api/src/auth/auth.service.ts
+++ b/backend/nestjs-seshat-api/src/auth/auth.service.ts
@ -14,22 +14,26 @@ export class AuthService {
  ) { }


-  async login(user: UserEntity): Promise<AuthenticationDto> {
-    return this.renew(user, null);
-  }
+  async login(
+    user: UserEntity,
+    withRefresh: boolean
+  ): Promise<AuthenticationDto> {
+    if (withRefresh) {
+      return this.renew(user);
+    }

-  async validate(
-    username: string,
-    password: string,
-  ): Promise<UserEntity | null> {
-    return await this.users.findOne({ username, password });
+    const access_token = await this.accessTokens.generate(user);
+    return {
+      ...access_token,
+      refresh_token: null,
+      refresh_exp: null,
+    }
  }

  async renew(
    user: UserEntity,
-    refresh_token: string | null
  ): Promise<AuthenticationDto | null> {
-    const new_refresh_data = await this.refreshTokens.generate(user, refresh_token);
+    const new_refresh_data = await this.refreshTokens.generate(user);
    const access_token = await this.accessTokens.generate(user);

    return {
@ -39,8 +43,83 @@ export class AuthService {
    }
  }

-  async revoke(userId: UUID, refreshToken: string): Promise<boolean> {
+  async validate(
+    username: string,
+    password: string,
+  ): Promise<UserEntity | null> {
+    return await this.users.findOne({ username, password });
+  }
+
+  async verify(
+    accessToken: string,
+    refreshToken: string
+  ): Promise<{ validation: boolean, userId: UUID | null, username: string | null }> {
+    if (!accessToken) {
+      if (!refreshToken) {
+        return {
+          validation: false,
+          userId: null,
+          username: null,
+        }
+      }
+
+      const refresh = await this.refreshTokens.verify(refreshToken);
+      if (refresh.message || !refresh.exp || refresh.exp * 1000 <= new Date().getTime()) {
+        return {
+          validation: false,
+          userId: null,
+          username: null,
+        };
+      }
+      return {
+        validation: null,
+        userId: refresh.sub,
+        username: refresh.username,
+      };
+    }
+    const access = await this.accessTokens.verify(accessToken);
+    const refresh = await this.refreshTokens.verify(refreshToken);
+    if (!access.username || !refresh.username || access.username != refresh.username) {
+      return {
+        validation: false,
+        userId: null,
+        username: null,
+      };
+    }
+    if (!access.sub || !refresh.sub || access.sub != refresh.sub) {
+      return {
+        validation: false,
+        userId: null,
+        username: null,
+      };
+    }
+
+    if (access.message || !access.exp || access.exp * 1000 <= new Date().getTime()) {
+      if (refresh.message || !refresh.exp || refresh.exp * 1000 <= new Date().getTime()) {
+        return {
+          validation: false,
+          userId: null,
+          username: null,
+        };
+      }
+      return {
+        validation: null,
+        userId: access.sub,
+        username: access.username,
+      };
+    }
+    return {
+      validation: true,
+      userId: access.sub,
+      username: access.username,
+    };
+  }
+
+  async revoke(
+    userId: UUID,
+    refreshToken: string
+  ): Promise<boolean> {
    const res = await this.refreshTokens.revoke(userId, refreshToken);
-    return res?.affected === 1
+    return res?.affected === 1;
  }
 }