feat(auth): add workspaceId validation and token expiration (#9134)

Added validation to ensure refresh tokens include a workspaceId,
throwing an exception for malformed tokens. Included workspaceId in
payloads and introduced expiration handling for access tokens. This
enhances token security and prevents potential misuse.

Close #9126

packages/twenty-server/src/engine/core-modules/auth/token/services/access-token.service.ts

@@ -100,6 +100,7 @@ export class AccessTokenService {
     return {
       token: this.jwtWrapperService.sign(jwtPayload, {
         secret: this.jwtWrapperService.generateAppSecret('ACCESS', workspaceId),
+        expiresIn,
       }),
       expiresAt,
     };

packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts

@@ -90,6 +90,14 @@ export class RefreshTokenService {
       );
     }
 
+    // TODO: Delete this useless condition and error after March 31st 2025
+    if (!token.workspaceId) {
+      throw new AuthException(
+        'This refresh token is malformed',
+        AuthExceptionCode.INVALID_INPUT,
+      );
+    }
+
     return { user, token };
   }
 
@@ -115,10 +123,12 @@ export class RefreshTokenService {
     const refreshTokenPayload = {
       userId,
       expiresAt,
+      workspaceId,
       type: AppTokenType.RefreshToken,
     };
     const jwtPayload = {
       sub: userId,
+      workspaceId,
     };
 
     const refreshToken = this.appTokenRepository.create(refreshTokenPayload);