modify token validation logic

Author: janishar

.env.example

@@ -39,4 +39,4 @@ DB_ADMIN_PWD=changeit
 ACCESS_TOKEN_VALIDITY_DAYS=30
 REFRESH_TOKEN_VALIDITY_DAYS=120
 TOKEN_ISSUER=afteracademy.com
-TOKEN_AUDIENCE=afteracademy_users
+TOKEN_AUDIENCE=afteracademy.com

src/auth/authUtils.ts

@@ -11,11 +11,11 @@ export const getAccessToken = (authorization: string) => {
 	return authorization.split(' ')[1];
 };
 
-export const validateTokenData = (payload: JwtPayload, userId: Types.ObjectId): boolean => {
+export const validateTokenData = (payload: JwtPayload): boolean => {
 	if (!payload || !payload.iss || !payload.sub || !payload.aud || !payload.prm
 		|| payload.iss !== tokenInfo.issuer
 		|| payload.aud !== tokenInfo.audience
-		|| payload.sub !== userId.toHexString())
+		|| !Types.ObjectId.isValid(payload.sub))
 		throw new AuthFailureError('Invalid Access Token');
 	return true;
 };

src/auth/authentication.ts

@@ -2,10 +2,10 @@ import express from 'express';
 import { ProtectedRequest, Tokens } from 'app-request';
 import UserRepo from '../database/repository/UserRepo';
 import { AuthFailureError, AccessTokenError, TokenExpiredError } from '../core/ApiError';
-import JWT, { ValidationParams } from '../core/JWT';
+import JWT from '../core/JWT';
 import KeystoreRepo from '../database/repository/KeystoreRepo';
 import { Types } from 'mongoose';
-import { getAccessToken } from './authUtils';
+import { getAccessToken, validateTokenData } from './authUtils';
 import { tokenInfo } from '../config';
 import validator, { ValidationSource } from '../helpers/validator';
 import schema from './schema';
@@ -18,18 +18,13 @@ export default router.use(validator(schema.auth, ValidationSource.HEADER),
 		req.accessToken = getAccessToken(req.headers.authorization); // Express headers are auto converted to lowercase
 
 		try {
-			const jwtPayload = await JWT.decode(req.accessToken);
-			if (!jwtPayload.sub || !Types.ObjectId.isValid(jwtPayload.sub))
-				throw new AuthFailureError('Invalid access token');
+			const payload = await JWT.validate(req.accessToken);
+			validateTokenData(payload);
 
-			const user = await UserRepo.findById(new Types.ObjectId(jwtPayload.sub));
+			const user = await UserRepo.findById(new Types.ObjectId(payload.sub));
 			if (!user) throw new AuthFailureError('User not registered');
 			req.user = user;
 
-			const payload = await JWT.validate(
-				req.accessToken,
-				new ValidationParams(tokenInfo.issuer, tokenInfo.audience, req.user._id.toHexString()));
-
 			const keystore = await KeystoreRepo.findforKey(req.user._id, payload.prm);
 
 			if (!keystore || keystore.primaryKey !== payload.prm)

src/core/JWT.ts

@@ -34,11 +34,11 @@ export default class JWT {
 	/**
 	 * This method checks the token and returns the decoded data when token is valid in all respect
 	 */
-	public static async validate(token: string, validations: ValidationParams): Promise<JwtPayload> {
+	public static async validate(token: string): Promise<JwtPayload> {
 		const cert = await this.readPublicKey();
 		try {
 			// @ts-ignore
-			return <JwtPayload>await promisify(verify)(token, cert, validations);
+			return <JwtPayload>await promisify(verify)(token, cert);
 		} catch (e) {
 			Logger.debug(e);
 			if (e && e.name === 'TokenExpiredError') throw new TokenExpiredError();
@@ -48,29 +48,20 @@ export default class JWT {
 	}
 
 	/**
-	 * Returns the decoded payload without verifying if the signature is valid.
+	 * Returns the decoded payload if the signature is valid even if it is expired
 	 */
 	public static async decode(token: string): Promise<JwtPayload> {
+		const cert = await this.readPublicKey();
 		try {
-			return <JwtPayload>decode(token);
+			// @ts-ignore
+			return <JwtPayload>await promisify(verify)(token, cert, { ignoreExpiration: true });
 		} catch (e) {
 			Logger.debug(e);
 			throw new BadTokenError();
 		}
 	}
 }
 
-export class ValidationParams {
-	issuer: string;
-	audience: string;
-	subject: string;
-	constructor(issuer: string, audience: string, subject: string) {
-		this.issuer = issuer;
-		this.audience = audience;
-		this.subject = subject;
-	}
-}
-
 export class JwtPayload {
 	aud: string;
 	sub: string;

src/routes/v1/access/schema.ts

@@ -1,5 +1,5 @@
 import Joi from '@hapi/joi';
-import { JoiObjectId } from '../../../helpers/validator';
+import { JoiAuthBearer } from '../../../helpers/validator';
 
 export default {
 	userCredential: Joi.object().keys({
@@ -10,8 +10,7 @@ export default {
 		refreshToken: Joi.string().required().min(1),
 	}),
 	auth: Joi.object().keys({
-		'x-access-token': Joi.string().required().min(1),
-		'x-user-id': JoiObjectId().required(),
+		'authorization': JoiAuthBearer().required()
 	}).unknown(true),
 	signup: Joi.object().keys({
 		name: Joi.string().required().min(3),

src/routes/v1/access/token.ts

@@ -4,14 +4,13 @@ import { ProtectedRequest } from 'app-request';
 import { Types } from 'mongoose';
 import UserRepo from '../../../database/repository/UserRepo';
 import { AuthFailureError, } from '../../../core/ApiError';
-import JWT, { ValidationParams } from '../../../core/JWT';
+import JWT from '../../../core/JWT';
 import KeystoreRepo from '../../../database/repository/KeystoreRepo';
 import crypto from 'crypto';
 import { validateTokenData, createTokens, getAccessToken } from '../../../auth/authUtils';
 import validator, { ValidationSource } from '../../../helpers/validator';
 import schema from './schema';
 import asyncHandler from '../../../helpers/asyncHandler';
-import { tokenInfo } from '../../../config';
 
 const router = express.Router();
 
@@ -21,20 +20,17 @@ router.post('/refresh',
 		req.accessToken = getAccessToken(req.headers.authorization); // Express headers are auto converted to lowercase
 
 		const accessTokenPayload = await JWT.decode(req.accessToken);
-		if (!accessTokenPayload.sub || !Types.ObjectId.isValid(accessTokenPayload.sub))
-			throw new AuthFailureError('Invalid access token');
+		validateTokenData(accessTokenPayload);
 
 		const user = await UserRepo.findById(new Types.ObjectId(accessTokenPayload.sub));
 		if (!user) throw new AuthFailureError('User not registered');
 		req.user = user;
 
-		validateTokenData(accessTokenPayload, req.user._id);
+		const refreshTokenPayload = await JWT.validate(req.body.refreshToken);
+		validateTokenData(refreshTokenPayload);
 
-		const refreshTokenPayload = await JWT.validate(req.body.refreshToken,
-			new ValidationParams(
-				tokenInfo.issuer,
-				tokenInfo.audience,
-				req.user._id.toHexString()));
+		if (accessTokenPayload.sub !== refreshTokenPayload.sub)
+			throw new AuthFailureError('Invalid access token');
 
 		const keystore = await KeystoreRepo.find(
 			req.user._id,

tests/.env.test.example

@@ -32,4 +32,4 @@ DB_USER_PWD=changeit
 ACCESS_TOKEN_VALIDITY_DAYS=30
 REFRESH_TOKEN_VALIDITY_DAYS=120
 TOKEN_ISSUER=test.afteracademy.com
-TOKEN_AUDIENCE=test.afteracademy_users
+TOKEN_AUDIENCE=test.afteracademy.com