feat: add cooldown to refresh token security (#1736)

2023-09-27 15:03:50 +02:00
parent 96865b0fec
commit a4cde44b13
5 changed files with 30 additions and 13 deletions
--- a/server/src/core/auth/services/token.service.ts
+++ b/server/src/core/auth/services/token.service.ts
@ -114,6 +114,7 @@ export class TokenService {
  async verifyRefreshToken(refreshToken: string) {
    const secret = this.environmentService.getRefreshTokenSecret();
    const coolDown = this.environmentService.getRefreshTokenCoolDown();
    const jwtPayload = await this.verifyJwt(refreshToken, secret);
    assert(
@ -139,7 +140,11 @@ export class TokenService {
    assert(user, 'User not found', NotFoundException);
-    if (token.isRevoked) {
+    // Check if revokedAt is less than coolDown
    if (
      token.revokedAt &&
      token.revokedAt.getTime() <= Date.now() - ms(coolDown)
    ) {
      // Revoke all user refresh tokens
      await this.prismaService.client.refreshToken.updateMany({
        where: {
@ -148,16 +153,14 @@ export class TokenService {
          },
        },
        data: {
-          isRevoked: true,
+          revokedAt: new Date(),
        },
      });
    }
-    assert(
+      throw new ForbiddenException(
-      !token.isRevoked,
+        'Suspicious activity detected, this refresh token has been revoked. All tokens has been revoked.',
-      'Suspicious activity detected, this refresh token has been revoked. All tokens has been revoked.',
+      );
-      ForbiddenException,
+    }
    );
    return { user, token };
  }
@ -177,7 +180,7 @@ export class TokenService {
        id,
      },
      data: {
-        isRevoked: true,
+        revokedAt: new Date(),
      },
    });
--- a/server/src/database/migrations/20230926150534_alter_table_refresh_token_add_revoked_at/migration.sql
+++ b/server/src/database/migrations/20230926150534_alter_table_refresh_token_add_revoked_at/migration.sql
@ -0,0 +1,8 @@
 -- Step 1: Add the new column
 ALTER TABLE "refresh_tokens" ADD COLUMN "revokedAt" TIMESTAMP(3);
 -- Step 2: Update the new column based on the isRevoked column value
 UPDATE "refresh_tokens" SET "revokedAt" = NOW() - INTERVAL '1 day' WHERE "isRevoked" = TRUE;
 -- Step 3: Drop the isRevoked column
 ALTER TABLE "refresh_tokens" DROP COLUMN "isRevoked";
--- a/server/src/database/schema.prisma
+++ b/server/src/database/schema.prisma
@ -331,10 +331,7 @@ model Person {
 model RefreshToken {
  /// @Validator.IsString()
  /// @Validator.IsOptional()
-  id        String  @id @default(uuid())
+  id String @id @default(uuid())
  /// @Validator.IsBoolean()
  /// @Validator.IsOptional()
  isRevoked Boolean @default(false)
  /// @TypeGraphQL.omit(input: true, output: true)
  user   User   @relation(fields: [userId], references: [id])
@ -344,6 +341,8 @@ model RefreshToken {
  expiresAt DateTime
  /// @TypeGraphQL.omit(input: true, output: true)
  deletedAt DateTime?
  /// @TypeGraphQL.omit(input: true, output: true)
  revokedAt DateTime?
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt
--- a/server/src/integrations/environment/environment.service.ts
+++ b/server/src/integrations/environment/environment.service.ts
@ -61,6 +61,10 @@ export class EnvironmentService {
    return this.configService.get<string>('REFRESH_TOKEN_EXPIRES_IN') ?? '90d';
  }
  getRefreshTokenCoolDown(): string {
    return this.configService.get<string>('REFRESH_TOKEN_COOL_DOWN') ?? '1m';
  }
  getLoginTokenSecret(): string {
    return this.configService.get<string>('LOGIN_TOKEN_SECRET')!;
  }
--- a/server/src/integrations/environment/environment.validation.ts
+++ b/server/src/integrations/environment/environment.validation.ts
@ -76,6 +76,9 @@ export class EnvironmentVariables {
  @IsDuration()
  @IsOptional()
  REFRESH_TOKEN_EXPIRES_IN: string;
  @IsDuration()
  @IsOptional()
  REFRESH_TOKEN_COOL_DOWN: string;
  @IsString()
  LOGIN_TOKEN_SECRET: string;