api: fix ldap check-auth (detect user and refresh token)

apps/api/src/ldap-tfa/ldap-tfa.controller.ts

@@ -64,8 +64,8 @@ export class LdapTfaController extends LdapController {
     status: HttpStatus.OK,
   })
   async loginTelegram(@AuthToken() token: string, @Res() reply: FastifyReply) {
-    const { employeeID } = await this.ldapTfaService.getUser(token);
-    const { authId } = await this.ldapTfaService.parseToken(token);
+    const { employeeID } = await this.ldapTfaService.getUser(token, { audience: 'auth' });
+    const { authId } = await this.ldapTfaService.parseToken(token, { audience: 'auth' });
 
     return axios
       .get(env.TELEGRAM_URL_SEND_AUTH_MESSAGE, {
@@ -107,22 +107,8 @@ export class LdapTfaController extends LdapController {
     status: HttpStatus.OK,
   })
   async loginConfirm(@AuthToken() token: string, @Res() reply: FastifyReply) {
-    const activatedToken = await this.ldapTfaService.activateToken(token);
+    const activatedToken = await this.ldapTfaService.activateToken(token, { audience: 'auth' });
 
     return reply.setCookie(env.COOKIE_TOKEN_NAME, activatedToken, cookieOptions).status(200).send();
   }
-
-  @Get('/check-auth')
-  @ApiResponse({
-    status: HttpStatus.OK,
-  })
-  async checkAuth(@AuthToken() token: string, @Res() reply: FastifyReply) {
-    const { authId } = await this.ldapTfaService.parseToken(token, { ignoreExpiration: true });
-
-    if (authId) return reply.status(HttpStatus.UNAUTHORIZED).send();
-
-    const user = await this.ldapTfaService.getUser(token, { ignoreExpiration: true });
-
-    return reply.status(200).send(user);
-  }
 }

apps/api/src/ldap-tfa/ldap-tfa.service.ts

@@ -38,14 +38,6 @@ export class LdapTfaService extends LdapService {
     }
   }
 
-  public async parseToken(token: string, options: JwtVerifyOptions = { audience: 'auth' }) {
-    try {
-      return this.jwtService.verify<TokenPayload>(token, options);
-    } catch (error) {
-      throw new UnauthorizedException(error);
-    }
-  }
-
   public async activateToken(token: string, options: JwtVerifyOptions = { audience: 'auth' }) {
     try {
       const { username } = this.jwtService.verify<TokenPayload>(token, options);

apps/api/src/ldap/ldap.controller.ts

@@ -101,4 +101,18 @@ export class LdapController implements BaseAuthController {
 
     return reply.send(user);
   }
+
+  @Get('/check-auth')
+  @ApiResponse({
+    status: HttpStatus.OK,
+  })
+  async checkAuth(@AuthToken() token: string, @Res() reply: FastifyReply) {
+    const { authId } = await this.ldapService.parseToken(token, { ignoreExpiration: true });
+
+    if (authId) return reply.status(HttpStatus.UNAUTHORIZED).send();
+
+    const user = await this.ldapService.getUser(token, { ignoreExpiration: true });
+
+    return reply.status(200).send(user);
+  }
 }

apps/api/src/ldap/ldap.service.ts

@@ -83,4 +83,12 @@ export class LdapService {
       throw new UnauthorizedException('Invalid token');
     }
   }
+
+  public async parseToken(token: string, options?: JwtVerifyOptions) {
+    try {
+      return this.jwtService.verify<TokenPayload>(token, options);
+    } catch (error) {
+      throw new UnauthorizedException(error);
+    }
+  }
 }