[1] apps/api: fix refresh token

2024-06-05 12:34:28 +03:00 · 2024-06-05 12:34:28 +03:00 · 399179baa2
commit 399179baa2
parent 2e5f9fd001
3 changed files with 20 additions and 15 deletions
--- a/apps/api/src/account/account.service.ts
+++ b/apps/api/src/account/account.service.ts
@ -94,8 +94,7 @@ export class AccountService {

  public async refreshToken(token: string) {
    try {
-      this.jwtService.verify(token);
-      const { username } = this.jwtService.decode(token) as DecodedToken;
+      const { username } = this.jwtService.verify<DecodedToken>(token, { ignoreExpiration: true });

      const account = await this.accountModel.findOne({ username });
      if (!account) {
--- a/apps/api/src/app.controller.ts
+++ b/apps/api/src/app.controller.ts
@ -27,14 +27,10 @@ export class AppController {
    @AuthParams() authParams: Params
  ) {
    try {
-      return this.handleDefaultCheck(req, reply, token);
+      return this.handleDefaultCheck(authParams, req, reply, token);
    } catch (error) {
      if (isTokenExpired(error)) {
-        try {
-          return this.handleExpiredToken(authParams, token, req, reply);
-        } catch {
-          return this.handleError(req, reply);
-        }
+        return this.handleExpiredToken(authParams, token, req, reply);
      }

      return this.handleError(req, reply);
@ -53,9 +49,6 @@ export class AppController {
      let newToken = '';

      if (authMode === 'ldap-tfa') {
-        const { aud } = this.appService.checkToken(token);
-        if (aud === 'auth') return this.handleError(req, reply);
-
        newToken = await this.ldapService.refreshToken(token);
      }

@ -75,11 +68,20 @@ export class AppController {
    }
  }

-  private handleDefaultCheck(req: FastifyRequest, reply: FastifyReply, token: string) {
+  private handleDefaultCheck(
+    { authMode }: Params,
+    req: FastifyRequest,
+    reply: FastifyReply,
+    token: string
+  ) {
    const { aud } = this.appService.checkToken(token);
    const originalUri = req.headers['x-original-uri'];

-    if (aud === 'auth' && !['/auth', '/login', '/socket.io'].some((x) => originalUri.includes(x))) {
+    if (
+      authMode === 'ldap-tfa' &&
+      aud === 'auth' &&
+      !['/auth', '/login', '/socket.io'].some((x) => originalUri.includes(x))
+    ) {
      return this.handleError(req, reply);
    }

--- a/apps/api/src/ldap/ldap.service.ts
+++ b/apps/api/src/ldap/ldap.service.ts
@ -43,8 +43,12 @@ export class LdapService {

  public async refreshToken(token: string) {
    try {
-      this.jwtService.verify(token);
-      const { username } = this.jwtService.decode(token) as DecodedToken;
+      const { username, aud = '' } = this.jwtService.verify<DecodedToken>(token, {
+        ignoreExpiration: true,
+      });
+
+      if (aud === 'auth') throw new UnauthorizedException();
+
      const user = await ldap.authenticate(username);

      await this.cacheManager.set(username, user);