Merge pull request #5 from gobeam/audit_fixes

fix: refresh token decode issue due to jwt upgrade fixed

README.md

@@ -12,6 +12,8 @@
 <img alt="GitHub package.json version" src="https://img.shields.io/github/package-json/v/gobeam/truthy">
 <img alt="GitHub all releases" src="https://img.shields.io/github/downloads/gobeam/truthy/total">
 <img alt="Lines of code" src="https://img.shields.io/tokei/lines/github/gobeam/truthy">
+<img src='https://www.codetriage.com/gobeam/truthy/badges/users.svg' alt='Open Source Helpers' />
+<img src='https://www.codetriage.com/gobeam/truthy-react-frontend/badges/users.svg' alt='Open Source Helpers' />
 </p>
 <div align="center">
   <sub>Created by <a href="https://www.linkedin.com/in/roshan-ranabhat/">Roshan Ranabhat (gobeam)</a> and maintained with ❤️ by an amazing <a href="https://github.com/gobeam/truthy-contributors">team of awesome developers</a>.</sub>

src/auth/auth.service.ts

@@ -46,6 +46,7 @@ import { RefreshTokenSerializer } from '../refresh-token/serializer/refresh-toke
 const throttleConfig = config.get('throttle.login');
 const jwtConfig = config.get('jwt');
 const appConfig = config.get('app');
+const isSameSite = process.env.IS_SAME_SITE || appConfig.sameSite;
 const BASE_OPTIONS: SignOptions = {
   issuer: appConfig.appUrl,
   audience: appConfig.frontendUrl
@@ -459,13 +460,13 @@ export class AuthService {
   getCookieForLogOut(): string[] {
     return [
       `Authentication=; HttpOnly; Path=/; Max-Age=0; ${
-        !appConfig.sameSite ? 'SameSite=None; Secure;' : ''
+        !isSameSite ? 'SameSite=None; Secure;' : ''
       }`,
       `Refresh=; HttpOnly; Path=/; Max-Age=0; ${
-        !appConfig.sameSite ? 'SameSite=None; Secure;' : ''
+        !isSameSite ? 'SameSite=None; Secure;' : ''
       }`,
       `ExpiresIn=; Path=/; Max-Age=0; ${
-        !appConfig.sameSite ? 'SameSite=None; Secure;' : ''
+        !isSameSite ? 'SameSite=None; Secure;' : ''
       }`
     ];
   }
@@ -478,18 +479,18 @@ export class AuthService {
   buildResponsePayload(accessToken: string, refreshToken?: string): string[] {
     let tokenCookies = [
       `Authentication=${accessToken}; HttpOnly; Path=/; ${
-        !appConfig.sameSite ? 'SameSite=None; Secure;' : ''
+        !isSameSite ? 'SameSite=None; Secure;' : ''
       } Max-Age=${jwtConfig.cookieExpiresIn}`
     ];
     if (refreshToken) {
       const expiration = new Date();
       expiration.setSeconds(expiration.getSeconds() + jwtConfig.expiresIn);
       tokenCookies = tokenCookies.concat([
         `Refresh=${refreshToken}; HttpOnly; Path=/; ${
-          !appConfig.sameSite ? 'SameSite=None; Secure;' : ''
+          !isSameSite ? 'SameSite=None; Secure;' : ''
         } Max-Age=${jwtConfig.cookieExpiresIn}`,
         `ExpiresIn=${expiration}; Path=/; ${
-          !appConfig.sameSite ? 'SameSite=None; Secure;' : ''
+          !isSameSite ? 'SameSite=None; Secure;' : ''
         } Max-Age=${jwtConfig.cookieExpiresIn}`
       ]);
     }

src/refresh-token/interface/refresh-token.interface.ts

@@ -1,4 +1,4 @@
 export interface RefreshTokenInterface {
-  jti: number;
-  sub: number;
+  jwtid: number;
+  subject: number;
 }

src/refresh-token/refresh-token.service.spec.ts

@@ -92,8 +92,8 @@ describe('RefreshTokenService', () => {
     it('test for malformed token', async () => {
       const testToken = 'test_token_hash';
       jest.spyOn(service, 'decodeRefreshToken').mockResolvedValue({
-        jti: 1,
-        sub: 1
+        jwtid: 1,
+        subject: 1
       });
       jest
         .spyOn(service, 'getStoredTokenFromRefreshTokenPayload')
@@ -116,8 +116,8 @@ describe('RefreshTokenService', () => {
     it('resolve refresh token for valid refresh token', async () => {
       const testToken = 'test_token_hash';
       jest.spyOn(service, 'decodeRefreshToken').mockResolvedValue({
-        jti: 1,
-        sub: 1
+        jwtid: 1,
+        subject: 1
       });
       jest
         .spyOn(service, 'getStoredTokenFromRefreshTokenPayload')
@@ -134,8 +134,8 @@ describe('RefreshTokenService', () => {
       expect(
         service.getStoredTokenFromRefreshTokenPayload
       ).toHaveBeenCalledWith({
-        jti: 1,
-        sub: 1
+        jwtid: 1,
+        subject: 1
       });
     });
   });
@@ -168,8 +168,8 @@ describe('RefreshTokenService', () => {
 
     it('decode valid refresh token', async () => {
       jwtService.verifyAsync.mockResolvedValue({
-        jti: 1,
-        sub: 1
+        jwtid: 1,
+        subject: 1
       });
       await service.decodeRefreshToken('refresh_token_hash');
       expect(jwtService.verifyAsync).toHaveBeenCalledTimes(1);
@@ -181,8 +181,8 @@ describe('RefreshTokenService', () => {
     it('check get user from refresh token with malformed token', async () => {
       await expect(
         service.getUserFromRefreshTokenPayload({
-          jti: null,
-          sub: null
+          jwtid: null,
+          subject: null
         })
       ).rejects.toThrowError(CustomHttpException);
       expect(authService.findById).toHaveBeenCalledTimes(0);
@@ -192,8 +192,8 @@ describe('RefreshTokenService', () => {
       authService.findById.mockResolvedValue(user);
       await expect(
         service.getUserFromRefreshTokenPayload({
-          jti: 1,
-          sub: 1
+          jwtid: 1,
+          subject: 1
         })
       ).resolves.not.toThrow();
       expect(authService.findById).toHaveBeenCalledTimes(1);
@@ -205,8 +205,8 @@ describe('RefreshTokenService', () => {
     it('check for malformed token', async () => {
       await expect(
         service.getStoredTokenFromRefreshTokenPayload({
-          jti: null,
-          sub: null
+          jwtid: null,
+          subject: null
         })
       ).rejects.toThrowError(CustomHttpException);
     });
@@ -215,8 +215,8 @@ describe('RefreshTokenService', () => {
       repository.findTokenById.mockResolvedValue(refreshToken);
       await expect(
         service.getStoredTokenFromRefreshTokenPayload({
-          jti: 1,
-          sub: 1
+          jwtid: 1,
+          subject: 1
         })
       ).resolves.not.toThrow();
       expect(repository.findTokenById).toHaveBeenCalledTimes(1);

src/refresh-token/refresh-token.service.ts

@@ -66,7 +66,6 @@ export class RefreshTokenService {
   }> {
     const payload = await this.decodeRefreshToken(encoded);
     const token = await this.getStoredTokenFromRefreshTokenPayload(payload);
-
     if (!token) {
       throw new CustomHttpException(
         ExceptionTitleList.NotFound,
@@ -146,7 +145,7 @@ export class RefreshTokenService {
   async getUserFromRefreshTokenPayload(
     payload: RefreshTokenInterface
   ): Promise<UserSerializer> {
-    const subId = payload.sub;
+    const subId = payload.subject;
 
     if (!subId) {
       throw new CustomHttpException(
@@ -166,7 +165,7 @@ export class RefreshTokenService {
   async getStoredTokenFromRefreshTokenPayload(
     payload: RefreshTokenInterface
   ): Promise<RefreshToken | null> {
-    const tokenId = payload.jti;
+    const tokenId = payload.jwtid;
 
     if (!tokenId) {
       throw new CustomHttpException(