refactor: handle authentication state in middleware

2026-04-11 10:27:01 +02:00 · 2023-02-04 18:12:49 +01:00
parent 064ef38d78
commit 4e840ecd29
17 changed files with 511 additions and 474 deletions
--- a/backend/src/auth/auth.controller.ts
+++ b/backend/src/auth/auth.controller.ts
@@ -120,7 +120,7 @@ export class AuthController {
    const accessToken = await this.authService.refreshAccessToken(
      request.cookies.refresh_token
    );
-    response.cookie("access_token", accessToken);
+    response = this.addTokensToResponse(response, undefined, accessToken);
    return new TokenDTO().from({ accessToken });
  }

@@ -162,11 +162,13 @@ export class AuthController {
    refreshToken?: string,
    accessToken?: string
  ) {
-    if (accessToken) response.cookie("access_token", accessToken);
+    if (accessToken)
+      response.cookie("access_token", accessToken, { sameSite: "lax" });
    if (refreshToken)
      response.cookie("refresh_token", refreshToken, {
        path: "/api/auth/token",
        httpOnly: true,
+        sameSite: "strict",
        maxAge: 1000 * 60 * 60 * 24 * 30 * 3,
      });

--- a/backend/src/auth/auth.service.ts
+++ b/backend/src/auth/auth.service.ts
@@ -110,26 +110,30 @@ export class AuthService {
      {
        sub: user.id,
        email: user.email,
+        isAdmin: user.isAdmin,
        refreshTokenId,
      },
      {
-        expiresIn: "15min",
+        expiresIn: "10s",
        secret: this.config.get("JWT_SECRET"),
      }
    );
  }

  async signOut(accessToken: string) {
-    const { refreshTokenId } = this.jwtService.decode(accessToken) as {
-      refreshTokenId: string;
-    };
+    const { refreshTokenId } =
+      (this.jwtService.decode(accessToken) as {
+        refreshTokenId: string;
+      }) || {};

-    await this.prisma.refreshToken
-      .delete({ where: { id: refreshTokenId } })
-      .catch((e) => {
-        // Ignore error if refresh token doesn't exist
-        if (e.code != "P2025") throw e;
-      });
+    if (refreshTokenId) {
+      await this.prisma.refreshToken
+        .delete({ where: { id: refreshTokenId } })
+        .catch((e) => {
+          // Ignore error if refresh token doesn't exist
+          if (e.code != "P2025") throw e;
+        });
+    }
  }

  async refreshAccessToken(refreshToken: string) {
--- a/backend/src/config/config.controller.ts
+++ b/backend/src/config/config.controller.ts
@@ -1,4 +1,5 @@
 import { Body, Controller, Get, Patch, Post, UseGuards } from "@nestjs/common";
+import { SkipThrottle } from "@nestjs/throttler";
 import { AdministratorGuard } from "src/auth/guard/isAdmin.guard";
 import { JwtGuard } from "src/auth/guard/jwt.guard";
 import { EmailService } from "src/email/email.service";
@@ -16,6 +17,7 @@ export class ConfigController {
  ) {}

  @Get()
+  @SkipThrottle()
  async list() {
    return new ConfigDTO().fromList(await this.configService.list());
  }