Fixed/cleaned auth validation. Added 404 response when registrations are disabled.

2025-06-19 15:25:18 +00:00
parent bde574ccad
commit cc337d22f2
6 changed files with 57 additions and 46 deletions
--- a/backend/nestjs-seshat-api/src/auth/auth.service.ts
+++ b/backend/nestjs-seshat-api/src/auth/auth.service.ts
@ -60,60 +60,60 @@ export class AuthService {
    accessToken: string,
    refreshToken: string
  ): Promise<{ validation: boolean, userId: UUID | null, username: string | null }> {
-    if (!accessToken) {
-      if (!refreshToken) {
-        return {
-          validation: false,
-          userId: null,
-          username: null,
-        }
-      }
+    let access: any = null;
+    let refresh: any = null;

-      const refresh = await this.refreshTokens.verify(refreshToken);
-      if (refresh.message || !refresh.exp || refresh.exp * 1000 <= new Date().getTime()) {
+    if (accessToken) {
+      access = await this.accessTokens.verify(accessToken);
+      if (!access.username || !access.sub) {
        return {
          validation: false,
          userId: null,
          username: null,
        };
      }
+    }
+
+    if (refreshToken) {
+      refresh = await this.refreshTokens.verify(refreshToken);
+      if (!refresh.username || !refresh.sub) {
+        return {
+          validation: false,
+          userId: null,
+          username: null,
+        };
+      }
+    }
+
+    if (accessToken && refreshToken) {
+      if (access.username != refresh.username || access.sub != refresh.sub) {
+        return {
+          validation: false,
+          userId: null,
+          username: null,
+        };
+      }
+    }
+
+    if (!accessToken || !access.exp || access.exp * 1000 <= new Date().getTime()) {
+      if (!refreshToken || !refresh.exp || refresh.exp * 1000 <= new Date().getTime()) {
+        // Both expired.
+        return {
+          validation: false,
+          userId: null,
+          username: null,
+        };
+      }
+
+      // Refresh token is still active.
      return {
        validation: null,
        userId: refresh.sub,
        username: refresh.username,
      };
    }
-    const access = await this.accessTokens.verify(accessToken);
-    const refresh = await this.refreshTokens.verify(refreshToken);
-    if (!access.username || !refresh.username || access.username != refresh.username) {
-      return {
-        validation: false,
-        userId: null,
-        username: null,
-      };
-    }
-    if (!access.sub || !refresh.sub || access.sub != refresh.sub) {
-      return {
-        validation: false,
-        userId: null,
-        username: null,
-      };
-    }

-    if (access.message || !access.exp || access.exp * 1000 <= new Date().getTime()) {
-      if (refresh.message || !refresh.exp || refresh.exp * 1000 <= new Date().getTime()) {
-        return {
-          validation: false,
-          userId: null,
-          username: null,
-        };
-      }
-      return {
-        validation: null,
-        userId: access.sub,
-        username: access.username,
-      };
-    }
+    // Access still active, at least.
    return {
      validation: true,
      userId: access.sub,