chingu-x · timDeHof · Mar 15, 2024 · Mar 7, 2024 · Mar 8, 2024 · Mar 8, 2024
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -0,0 +1 @@
+nodeLinker: node-modules
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,31 +6,33 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 Another example [here](https://co-pilot.dev/changelog)
 
-
 ## [Unreleased]
 
 ### Added
 
-- Add @ApiResponse tags to resources ([#76](https://github.com/chingu-x/chingu-dashboard-be/pull/76))
-- Add @ApiResponse tags to ideations and features ([#65](https://github.com/chingu-x/chingu-dashboard-be/pull/77))
-- Add refresh token functionality and global guard to protect all routes ([#78](https://github.com/chingu-x/chingu-dashboard-be/pull/78))- 
-- Add status to voyage table and return in /me endpoint ([#79](https://github.com/chingu-x/chingu-dashboard-be/pull/79))
-- Add github action for STG ([#81](https://github.com/chingu-x/chingu-dashboard-be/pull/81))
-- Add CHANGELOG.md ([#84](https://github.com/chingu-x/chingu-dashboard-be/pull/84))
-- Add Role/Permission guard ([#97](https://github.com/chingu-x/chingu-dashboard-be/pull/97))
-- Add e2e tests for auth controller ([#102](https://github.com/chingu-x/chingu-dashboard-be/pull/102))
-- Add e2e tests for techs controller ([#103](https://github.com/chingu-x/chingu-dashboard-be/pull/103))
-- Add check-in form database implementation and seed data ([#105](https://github.com/chingu-x/chingu-dashboard-be/pull/105))
-- Add e2e tests for forms controller ([#107](https://github.com/chingu-x/chingu-dashboard-be/pull/107))
+-   Add @ApiResponse tags to resources ([#76](https://github.com/chingu-x/chingu-dashboard-be/pull/76))
+-   Add @ApiResponse tags to ideations and features ([#65](https://github.com/chingu-x/chingu-dashboard-be/pull/77))
+-   Add refresh token functionality and global guard to protect all routes ([#78](https://github.com/chingu-x/chingu-dashboard-be/pull/78))-
+-   Add status to voyage table and return in /me endpoint ([#79](https://github.com/chingu-x/chingu-dashboard-be/pull/79))
+-   Add github action for STG ([#81](https://github.com/chingu-x/chingu-dashboard-be/pull/81))
+-   Add CHANGELOG.md ([#84](https://github.com/chingu-x/chingu-dashboard-be/pull/84))
+-   Add Role/Permission guard ([#97](https://github.com/chingu-x/chingu-dashboard-be/pull/97))
+-   Add e2e tests for auth controller ([#102](https://github.com/chingu-x/chingu-dashboard-be/pull/102))
+-   Add e2e tests for techs controller ([#103](https://github.com/chingu-x/chingu-dashboard-be/pull/103))
+-   Add check-in form database implementation and seed data ([#105](https://github.com/chingu-x/chingu-dashboard-be/pull/105))
+-   Add e2e tests for forms controller ([#107](https://github.com/chingu-x/chingu-dashboard-be/pull/107))
+-   Add new endpoint to revoke refresh token ([#116](https://github.com/chingu-x/chingu-dashboard-be/pull/116))
 
 ### Changed
-- Update docker compose and scripts in package.json to include a test database container and remove usage of .env.dev to avoid confusion ([#100](https://github.com/chingu-x/chingu-dashboard-be/pull/100))
-- Restructure seed/index.ts to work with e2e tests, and add  --runInBand to e2e scripts[#101](https://github.com/chingu-x/chingu-dashboard-be/pull/101)
-- Update changelog ([#104](https://github.com/chingu-x/chingu-dashboard-be/pull/104))
-- Update test.yml to run e2e tests on pull requests to the main branch [#105](https://github.com/chingu-x/chingu-dashboard-be/pull/105)
-- Update email templates to use domain in environment variables [#110](https://github.com/chingu-x/chingu-dashboard-be/pull/110)
+
+-   Update docker compose and scripts in package.json to include a test database container and remove usage of .env.dev to avoid confusion ([#100](https://github.com/chingu-x/chingu-dashboard-be/pull/100))
+-   Restructure seed/index.ts to work with e2e tests, and add --runInBand to e2e scripts[#101](https://github.com/chingu-x/chingu-dashboard-be/pull/101)
+-   Update changelog ([#104](https://github.com/chingu-x/chingu-dashboard-be/pull/104))
+-   Update test.yml to run e2e tests on pull requests to the main branch [#105](https://github.com/chingu-x/chingu-dashboard-be/pull/105)
+-   Update email templates to use domain in environment variables [#110](https://github.com/chingu-x/chingu-dashboard-be/pull/110)
 
 ### Fixed
-- Fix failed tests in app and ideation due to the change from jwt token response to http cookies ([#98](https://github.com/chingu-x/chingu-dashboard-be/pull/98))
+
+-   Fix failed tests in app and ideation due to the change from jwt token response to http cookies ([#98](https://github.com/chingu-x/chingu-dashboard-be/pull/98))
 
 ### Removed
diff --git a/src/auth/auth.controller.ts b/src/auth/auth.controller.ts
@@ -2,6 +2,7 @@ import {
     BadRequestException,
     Body,
     Controller,
+    Delete,
     HttpCode,
     HttpStatus,
     Post,
@@ -20,6 +21,7 @@ import {
     BadRequestErrorResponse,
     ForbiddenErrorResponse,
     LoginUnauthorizedErrorResponse,
+    NotFoundErrorResponse,
     UnauthorizedErrorResponse,
 } from "../global/responses/errors";
 import {
@@ -34,6 +36,9 @@ import { JwtAuthGuard } from "./guards/jwt-auth.guard";
 import { JwtRefreshAuthGuard } from "./guards/jwt-rt-auth.guard";
 import { Public } from "../global/decorators/public.decorator";
 import { AT_MAX_AGE, RT_MAX_AGE } from "../global/constants";
+import { RevokeRTDto } from "./dto/revoke-refresh-token.dto";
+import { Roles } from "../global/decorators/roles.decorator";
+import { AppRoles } from "./auth.roles";
 
 @ApiTags("Auth")
 @Controller("auth")
@@ -196,6 +201,37 @@ export class AuthController {
         res.status(HttpStatus.OK).send({ message: "Refresh Success" });
     }
 
+    @ApiOperation({
+        summary: "Revokes user's refresh token, with a valid user id",
+        description: "using the user's id, removes user's refresh token",
+    })
+    @ApiResponse({
+        status: HttpStatus.OK,
+        description: "Refresh token successfully revoked",
+        type: GenericSuccessResponse,
+    })
+    @ApiResponse({
+        status: HttpStatus.NOT_FOUND,
+        description: "User not found.",
+        type: NotFoundErrorResponse,
+    })
+    @ApiResponse({
+        status: HttpStatus.BAD_REQUEST,
+        description: "userId and email is provided",
+        type: BadRequestErrorResponse,
+    })
+    @ApiResponse({
+        status: HttpStatus.FORBIDDEN,
+        description: "user doesn't have permission to preform operation",
+        type: ForbiddenErrorResponse,
+    })
+    @HttpCode(HttpStatus.OK)
+    @Roles(AppRoles.Admin)
+    @Delete("refresh/userId")
+    async revoke(@Body() body: RevokeRTDto) {
+        await this.authService.revokeRefreshToken(body);
+    }
+
     @ApiOperation({
         summary:
             "When a user logs out, access and refresh tokens are cleared from cookies, refresh token is set to null in the database.",

diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
@@ -3,6 +3,7 @@ import {
     ForbiddenException,
     Injectable,
     Logger,
+    NotFoundException,
     UnauthorizedException,
 } from "@nestjs/common";
 import { UsersService } from "../users/users.service";
@@ -133,6 +134,40 @@ export class AuthService {
         return tokens;
     }
 
+    async revokeRefreshToken(body?: any): Promise<void> {
+        const { userId, email } = body;
+
+        if (userId && email)
+            throw new BadRequestException(
+                "Please provide either userId or email, not both",
+            );
+
+        if (userId) {
+            await this.prisma.user.update({
+                where: {
+                    id: userId,
+                },
+                data: {
+                    refreshToken: null,
+                },
+            });
+        } else if (email) {
+            await this.prisma.user.update({
+                where: {
+                    email: email,
+                },
+                data: {
+                    refreshToken: null,
+                },
+            });
+        } else {
+            throw new NotFoundException({
+                statusCode: 404,
+                message: "User not found",
+            });
+        }
+    }
+
     async logout(refreshToken: string) {
         try {
             const payload = await this.jwtService.verifyAsync(refreshToken, {

diff --git a/src/auth/dto/revoke-refresh-token.dto.ts b/src/auth/dto/revoke-refresh-token.dto.ts
@@ -0,0 +1,20 @@
+import { ApiProperty } from "@nestjs/swagger";
+import { IsNotEmpty, IsOptional, IsString } from "class-validator";
+
+export class RevokeRTDto {
+    @IsOptional()
+    @IsString()
+    @IsNotEmpty()
+    @ApiProperty({
+        example: "ebf84db9-3c8d-4900-a1eb-6a0050e983bb",
+    })
+    userId?: string;
+
+    @IsOptional()
+    @IsString()
+    @IsNotEmpty()
+    @ApiProperty({
+        example: "elza59@ethereal.email",
+    })
+    email?: "elza59@ethereal.email";
+}
diff --git a/test/auth.e2e-spec.ts b/test/auth.e2e-spec.ts
@@ -15,7 +15,7 @@ const resendUrl = "/auth/resend-email";
 const verifyUrl = "/auth/verify-email";
 const resetRequestUrl = "/auth/reset-password/request";
 const resetPWUrl = "/auth/reset-password";
-
+const revokeRTUrl = "/auth/refresh/userId";
 const loginAndGetTokens = async (
     email: string,
     password: string,
@@ -421,6 +421,101 @@ describe("AuthController e2e Tests", () => {
         });
     });
 
+    describe("Revoke Refresh Token DELETE /auth/refresh/userId", () => {
+        it("should return 200 if refresh token is revoked", async () => {
+            await loginAndGetTokens("l.castro@outlook.com", "password", app);
+
+            const { access_token, refresh_token } = await loginAndGetTokens(
+                "jessica.williamson@gmail.com",
+                "password",
+                app,
+            );
+
+            await prisma.user.update({
+                where: {
+                    email: "l.castro@outlook.com",
+                },
+                data: {
+                    refreshToken: null,
+                },
+            });
+
+            await request(app.getHttpServer())
+                .delete(revokeRTUrl)
+                .set("Cookie", [access_token, refresh_token])
+                .send({ email: "l.castro@outlook.com" })
+                .expect(200);
+        });
+
+        describe("checks if refresh token is null", () => {
+            it("should return null for user's refresh token", async () => {
+                const userEmail = "l.castro@outlook.com";
+                const updatedUser = await prisma.user.findUnique({
+                    where: {
+                        id: await getUserIdByEmail(userEmail, prisma),
+                    },
+                    select: {
+                        refreshToken: true,
+                    },
+                });
+                expect(updatedUser.refreshToken).toBeNull();
+            });
+        });
+
+        it("should return 401 if email is invalid", async () => {
+            await loginAndGetTokens("l.castro@outlook.com", "password", app);
+
+            const { access_token, refresh_token } = await loginAndGetTokens(
+                "jessica.williamson@gmail.com",
+                "password",
+                app,
+            );
+
+            await request(app.getHttpServer())
+                .delete(revokeRTUrl)
+                .set("Cookie", [access_token, refresh_token])
+                .send({})
+                .expect(404);
+        });
+
+        it("should return 403 if email and user id is provided", async () => {
+            await loginAndGetTokens("l.castro@outlook.com", "password", app);
+
+            const { access_token, refresh_token } = await loginAndGetTokens(
+                "jessica.williamson@gmail.com",
+                "password",
+                app,
+            );
+
+            await request(app.getHttpServer())
+                .delete(revokeRTUrl)
+                .set("Cookie", [access_token, refresh_token])
+                .send({
+                    userId: "c4daf07c-8dde-4a43-bfa4-a6fd49762dd5",
+                    email: "l.castro@outlook.com",
+                })
+                .expect(400);
+        });
+
+        it("should return 403 if user is not permitted", async () => {
+            await loginAndGetTokens("l.castro@outlook.com", "password", app);
+
+            const { access_token, refresh_token } = await loginAndGetTokens(
+                "dan@random.com",
+                "password",
+                app,
+            );
+
+            await request(app.getHttpServer())
+                .delete(revokeRTUrl)
+                .set("Cookie", [access_token, refresh_token])
+                .send({
+                    email: "l.castro@outlook.com",
+                })
+                .expect(403);
+        });
+    });
+
     describe("Request password reset POST /auth/reset-password/request", () => {
         it("should return 200 if user account exist, resetToken should be in the database", async () => {
             const userEmail = "jessica.williamson@gmail.com";