fix: refresh token expired in with access token and refresh token not…

… same user
PiedTeam · Jun 30, 2024 · e4e3259 · e4e3259
1 parent 4ccb4c3
commit e4e3259
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/src/modules/user/user.messages.ts b/src/modules/user/user.messages.ts
@@ -105,7 +105,7 @@ export const USER_MESSAGES = {
     WRONG_PASS_5_TIMES: "Entered wrong password over 5 times!",
 
     //token
-    REFRESH_TOKEN_IS_REQUIRED: "Refresh token is required",
+    REFRESH_TOKEN_NOT_VALID: "Refresh token is not valid",
     OTP_IS_INCORRECT: "OTP is incorrect",
 
     //don't have permission

diff --git a/src/modules/user/user.middlewares.ts b/src/modules/user/user.middlewares.ts
@@ -22,6 +22,7 @@ import { LoginRequestBody, TokenPayload } from "./user.requests";
 import usersService from "./user.services";
 import { StatusCodes } from "http-status-codes";
 import { numberToEnum } from "~/utils/handler";
+import jwt from "jsonwebtoken";
 
 //! Prevent db injection, XSS attack
 export const paramSchema: ParamSchema = {
@@ -1151,6 +1152,24 @@ export const refreshTokenCookieValidator = async (
             });
         }
 
+        const access_token = req.headers.authorization?.split(" ")[1];
+        const decoded_access_token = jwt.verify(
+            access_token as string,
+            process.env.JWT_SECRET_ACCESS_TOKEN as string,
+            {
+                ignoreExpiration: true,
+            },
+        ) as TokenPayload;
+
+        if (decoded_access_token.user_id !== decoded_refresh_token.user_id) {
+            next(
+                new ErrorWithStatus({
+                    message: USER_MESSAGES.REFRESH_TOKEN_NOT_VALID,
+                    status: HTTP_STATUS.UNAUTHORIZED,
+                }),
+            );
+        }
+
         req.decoded_refresh_token = decoded_refresh_token;
     } catch (error) {
         if (error instanceof JsonWebTokenError) {

diff --git a/src/modules/user/user.routes.ts b/src/modules/user/user.routes.ts
@@ -225,13 +225,13 @@ usersRouter.post(
 usersRouter.post(
     "/logout",
     accessTokenValidator,
-    refreshTokenCookieValidator,
+    wrapAsync(refreshTokenCookieValidator),
     wrapAsync(logoutController),
 );
 
 usersRouter.post(
     "/refresh-token",
-    refreshTokenCookieValidator,
+    wrapAsync(refreshTokenCookieValidator),
     wrapAsync(refreshTokenController),
 );