♻️ Use session UUID as refresh token

staart · Oct 22, 2020 · 34eb080 · 34eb080
1 parent 0e605fe
commit 34eb080
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 8 deletions.
diff --git a/src/config/configuration.ts b/src/config/configuration.ts
@@ -3,6 +3,7 @@ export default () => ({
   security: {
     saltRounds: process.env.SALT_ROUNDS ?? 10,
     jwtSecret: process.env.JWT_SECRET ?? 'staart',
+    accessTokenExpiry: process.env.ACCESS_TOKEN_EXPIRY ?? '1h',
   },
   email: {
     name: process.env.EMAIL_NAME ?? 'Staart',

diff --git a/src/modules/auth/auth.controller.ts b/src/modules/auth/auth.controller.ts
@@ -1,4 +1,4 @@
-import { Body, Controller, Post, UseGuards } from '@nestjs/common';
+import { Body, Controller, Headers, Ip, Post, UseGuards } from '@nestjs/common';
 import { users } from '@prisma/client';
 import { RateLimit } from 'nestjs-rate-limiter';
 import { OmitSecrets } from 'src/modules/prisma/prisma.interface';
@@ -16,8 +16,12 @@ export class AuthController {
     duration: 60,
     errorMessage: 'Wait for 60 seconds before trying to login again',
   })
-  async login(@Body() data: LoginDto): Promise<{ accessToken: string }> {
-    return this.authService.login(data.email, data.password);
+  async login(
+    @Body() data: LoginDto,
+    @Ip() ip: string,
+    @Headers('') userAgent: string,
+  ): Promise<{ accessToken: string }> {
+    return this.authService.login(ip, userAgent, data.email, data.password);
   }
 
   @Post('register')

diff --git a/src/modules/auth/auth.module.ts b/src/modules/auth/auth.module.ts
@@ -16,8 +16,7 @@ import { JwtStrategy } from './jwt.strategy';
     EmailModule,
     ConfigModule,
     JwtModule.register({
-      secret: process.env.JWT_SECRET,
-      signOptions: { expiresIn: '60s' },
+      secret: process.env.JWT_SECRET ?? 'staart',
     }),
   ],
   controllers: [AuthController],

diff --git a/src/modules/auth/auth.service.ts b/src/modules/auth/auth.service.ts
@@ -13,6 +13,7 @@ import { UsersService } from '../user/user.service';
 import { RegisterDto } from './auth.dto';
 import { compare } from 'bcrypt';
 import { JwtService } from '@nestjs/jwt';
+import { randomStringGenerator } from '@nestjs/common/utils/random-string-generator.util';
 
 @Injectable()
 export class AuthService {
@@ -40,12 +41,28 @@ export class AuthService {
     return null;
   }
 
-  async login(email: string, password?: string) {
+  async login(
+    ipAddress: string,
+    userAgent: string,
+    email: string,
+    password?: string,
+  ) {
     const id = await this.validateUser(email, password);
     if (!id) throw new UnauthorizedException();
-    const payload = { sub: id };
+    const token = randomStringGenerator();
+    await this.prisma.sessions.create({
+      data: { token, ipAddress, userAgent, user: { connect: { id } } },
+    });
     return {
-      accessToken: this.jwtService.sign(payload),
+      accessToken: this.jwtService.sign(
+        { sub: `user${id}` },
+        {
+          expiresIn: this.configService.get<string>(
+            'security.accessTokenExpiry',
+          ),
+        },
+      ),
+      refreshToken: token,
     };
   }