🔒 fix: update refresh token handling to use plain token instead of hashed token (#5088)

* 🔒 fix: update refresh token handling to use plain token instead of hashed token

* 🔒 fix: simplify logoutUser by using plain refresh token for session lookup

Author: berry-13

api/server/controllers/AuthController.js

@@ -7,7 +7,6 @@ const {
   requestPasswordReset,
 } = require('~/server/services/AuthService');
 const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
-const { hashToken } = require('~/server/utils/crypto');
 const { logger } = require('~/config');
 
 const registrationController = async (req, res) => {
@@ -74,11 +73,9 @@ const refreshController = async (req, res) => {
       return res.status(200).send({ token, user });
     }
 
-    // Hash the refresh token
-    const hashedToken = await hashToken(refreshToken);
-
     // Find the session with the hashed refresh token
-    const session = await findSession({ userId: userId, refreshToken: hashedToken });
+    const session = await findSession({ userId: userId, refreshToken: refreshToken });
+
     if (session && session.expiration > new Date()) {
       const token = await setAuthTokens(userId, res, session._id);
       res.status(200).send({ token, user });

api/server/services/AuthService.js

@@ -22,7 +22,6 @@ const {
 const { isEnabled, checkEmailConfig, sendEmail } = require('~/server/utils');
 const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { registerSchema } = require('~/strategies/validators');
-const { hashToken } = require('~/server/utils/crypto');
 const { logger } = require('~/config');
 
 const domains = {
@@ -42,10 +41,7 @@ const genericVerificationMessage = 'Please check your email to verify your email
  */
 const logoutUser = async (userId, refreshToken) => {
   try {
-    const hash = await hashToken(refreshToken);
-
-    // Find the session with the matching user and refreshTokenHash
-    const session = await findSession({ userId: userId, refreshToken: hash });
+    const session = await findSession({ userId: userId, refreshToken: refreshToken });
 
     if (session) {
       try {
@@ -343,7 +339,7 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
     let refreshTokenExpires;
 
     if (sessionId) {
-      session = await findSession({ sessionId: sessionId });
+      session = await findSession({ sessionId: sessionId }, { lean: false });
       refreshTokenExpires = session.expiration.getTime();
       refreshToken = await generateRefreshToken(session);
     } else {