Skip to content

🔒 fix: update refresh token handling to use plain token instead of hashed token #5088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 23, 2024
Merged

🔒 fix: update refresh token handling to use plain token instead of hashed token #5088

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
299bb35
🔒 fix: update refresh token handling to use plain token instead of ha…
berry-13 Dec 23, 2024
507930f
🔒 fix: simplify logoutUser by using plain refresh token for session l…
berry-13 Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions api/server/controllers/AuthController.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ const {
requestPasswordReset,
} = require('~/server/services/AuthService');
const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
const { hashToken } = require('~/server/utils/crypto');
const { logger } = require('~/config');

const registrationController = async (req, res) => {
Expand Down Expand Up @@ -74,11 +73,9 @@ const refreshController = async (req, res) => {
return res.status(200).send({ token, user });
}

// Hash the refresh token
const hashedToken = await hashToken(refreshToken);

// Find the session with the hashed refresh token
const session = await findSession({ userId: userId, refreshToken: hashedToken });
const session = await findSession({ userId: userId, refreshToken: refreshToken });

if (session && session.expiration > new Date()) {
const token = await setAuthTokens(userId, res, session._id);
res.status(200).send({ token, user });
Expand Down
8 changes: 2 additions & 6 deletions api/server/services/AuthService.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ const {
const { isEnabled, checkEmailConfig, sendEmail } = require('~/server/utils');
const { isEmailDomainAllowed } = require('~/server/services/domains');
const { registerSchema } = require('~/strategies/validators');
const { hashToken } = require('~/server/utils/crypto');
const { logger } = require('~/config');

const domains = {
Expand All @@ -42,10 +41,7 @@ const genericVerificationMessage = 'Please check your email to verify your email
*/
const logoutUser = async (userId, refreshToken) => {
try {
const hash = await hashToken(refreshToken);

// Find the session with the matching user and refreshTokenHash
const session = await findSession({ userId: userId, refreshToken: hash });
const session = await findSession({ userId: userId, refreshToken: refreshToken });

if (session) {
try {
Expand Down Expand Up @@ -343,7 +339,7 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
let refreshTokenExpires;

if (sessionId) {
session = await findSession({ sessionId: sessionId });
session = await findSession({ sessionId: sessionId }, { lean: false });
refreshTokenExpires = session.expiration.getTime();
refreshToken = await generateRefreshToken(session);
} else {
Expand Down
Loading