add refresh token

Author: jordicher

.env.example

@@ -7,4 +7,8 @@ POSTGRES_PASSWORD=templateUserPass
 POSTGRES_USER=templateUser
 POSTGRES_HOST=localhost
 
-JWT_SECRET=secret
+JWT_SECRET=secret
+JWT_REFRESH_SECRET=secret
+
+ACCESS_TOKEN_EXPIRATION=1d
+REFRESH_TOKEN_EXPIRATION=1y

src/app.module.ts

@@ -2,10 +2,10 @@ import { Module } from '@nestjs/common';
 import { ConfigModule, ConfigType } from '@nestjs/config';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import * as Joi from 'joi';
+import { AuthModule } from './auth/auth.module';
 import config from './config';
 import { enviroments } from './environments';
 import { UsersModule } from './users/users.module';
-import { AuthModule } from './auth/auth.module';
 
 @Module({
   imports: [
@@ -15,6 +15,9 @@ import { AuthModule } from './auth/auth.module';
       isGlobal: true,
       validationSchema: Joi.object({
         JWT_SECRET: Joi.string().required(),
+        JWT_REFRESH_SECRET: Joi.string().required(),
+        ACCESS_TOKEN_EXPIRATION: Joi.string().required(),
+        REFRESH_TOKEN_EXPIRATION: Joi.string().required(),
       }),
       validationOptions: {
         abortEarly: true, //when true, stops validation on the first error, otherwise returns all the errors found. Defaults to true.
@@ -23,7 +26,6 @@ import { AuthModule } from './auth/auth.module';
     TypeOrmModule.forRootAsync({
       inject: [config.KEY],
       useFactory: (configService: ConfigType<typeof config>) => {
-        console.log(configService);
         return {
           type: 'postgres',
           host: configService.postgres.host,

src/auth/auth.module.ts

@@ -16,9 +16,9 @@ import { LocalStrategy } from './strategies/local.strategy';
       inject: [config.KEY],
       useFactory: (configService: ConfigType<typeof config>) => {
         return {
-          secret: configService.jwtSecret,
+          secret: configService.jwt.jwtSecret,
           signOptions: {
-            expiresIn: '1d',
+            expiresIn: configService.jwt.accessTokenExpiration,
           },
         };
       },

src/auth/controllers/auth.controller.ts

@@ -1,6 +1,7 @@
-import { Controller, Post, Request, UseGuards } from '@nestjs/common';
+import { Controller, Get, Post, Request, UseGuards } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { User } from '../../users/entities/user.entity';
+import { JwtAuthGuard } from '../guards/jwt-auth.guard';
 import { LocalAuthGuard } from '../guards/local-auth.guard';
 import { AuthService } from '../services/auth.service';
 
@@ -13,6 +14,14 @@ export class AuthController {
   @Post('login')
   login(@Request() req: { user: User }) {
     const user = req.user;
-    return this.authService.generateJWT(user);
+    return this.authService.login(user);
+  }
+
+  @Get('logout')
+  @ApiTags('Authentication')
+  @UseGuards(JwtAuthGuard)
+  async logOut(@Request() req: any, user) {
+    await this.authService.logout(user.email);
+    req.res.setHeader('Authorization', null);
   }
 }

src/auth/models/token.model.ts

@@ -1,4 +1,4 @@
 export interface PayloadToken {
   role: string;
-  id: number;
+  email: string;
 }

src/auth/services/auth.service.ts

@@ -1,5 +1,11 @@
-import { Injectable } from '@nestjs/common';
-import { JwtService } from '@nestjs/jwt';
+import {
+  HttpException,
+  HttpStatus,
+  Injectable,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { JwtService, JwtSignOptions } from '@nestjs/jwt';
 import * as bcrypt from 'bcrypt';
 import { User } from '../../users/entities/user.entity';
 import { UsersService } from '../../users/services/users.service';
@@ -10,6 +16,7 @@ export class AuthService {
   constructor(
     private usersService: UsersService,
     private jwtService: JwtService,
+    private configService: ConfigService,
   ) {}
 
   async validateUser(email: string, password: string) {
@@ -28,11 +35,64 @@ export class AuthService {
     return null;
   }
 
-  generateJWT(user: User) {
-    const payload: PayloadToken = { role: user.role, id: user.id };
+  login(user: User) {
+    const payload: PayloadToken = { role: user.role, email: user.email };
     return {
       access_token: this.jwtService.sign(payload),
       user,
     };
   }
+
+  async logout(user: User) {
+    return await this.usersService.removeRefreshToken(user.email);
+  }
+
+  async createAccessTokenFromRefreshToken(refreshToken: string) {
+    try {
+      const decoded = this.jwtService.decode(refreshToken) as PayloadToken;
+
+      if (!decoded) {
+        throw new Error();
+      }
+
+      const user = await this.usersService.findByEmailAndGetPassword(
+        decoded.email,
+      );
+
+      if (!user) {
+        throw new HttpException(
+          'User with this id does not exist',
+          HttpStatus.NOT_FOUND,
+        );
+      }
+
+      const isRefreshTokenMatching = await bcrypt.compare(
+        refreshToken,
+        user.refreshToken,
+      );
+
+      if (!isRefreshTokenMatching) {
+        throw new UnauthorizedException('Invalid token');
+      }
+
+      await this.jwtService.verifyAsync(refreshToken, this.getTokenOptions());
+      return this.login(user);
+    } catch {
+      throw new UnauthorizedException('Invalid token');
+    }
+  }
+
+  private getTokenOptions() {
+    const options: JwtSignOptions = {
+      secret: this.configService.get('JWT_REFRESH_SECRET'),
+    };
+
+    const expiration: string = this.configService.get(
+      'REFRESH_TOKEN_EXPIRATION',
+    );
+    if (expiration) {
+      options.expiresIn = expiration;
+    }
+    return options;
+  }
 }

src/auth/strategies/jwt.strategy.ts

@@ -11,7 +11,7 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
     super({
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
       ignoreExpiration: false,
-      secretOrKey: configService.jwtSecret,
+      secretOrKey: configService.jwt.jwtSecret,
     });
   }
 

src/config.ts

@@ -12,6 +12,11 @@ export default registerAs('config', () => {
       password: process.env.POSTGRES_PASSWORD,
       user: process.env.POSTGRES_USER,
     },
-    jwtSecret: process.env.JWT_SECRET,
+    jwt: {
+      jwtSecret: process.env.JWT_SECRET,
+      jwtRefreshSecret: process.env.JWT_REFRESH_SECRET,
+      refreshTokenExpiration: process.env.REFRESH_TOKEN_EXPIRATION,
+      accessTokenExpiration: process.env.ACCESS_TOKEN_EXPIRATION,
+    },
   };
 });

src/users/services/users.service.ts

@@ -1,5 +1,6 @@
-import { Injectable } from '@nestjs/common';
+import { HttpException, HttpStatus, Injectable } from '@nestjs/common';
 import { InjectRepository } from '@nestjs/typeorm';
+import * as bcrypt from 'bcrypt';
 import { Repository } from 'typeorm';
 import { CreateUserDto, UpdateUserDto } from '../dto/create-user.dto';
 import { User } from '../entities/user.entity';
@@ -41,4 +42,28 @@ export class UsersService {
   remove(id: number) {
     return `This action removes a #${id} user`;
   }
+
+  async setCurrentRefreshToken(refreshToken: string, userId: number) {
+    const currentHashedRefreshToken = await bcrypt.hash(refreshToken, 10);
+
+    return await this.userRepository.update(userId, {
+      refreshToken: currentHashedRefreshToken,
+    });
+  }
+
+  async removeRefreshToken(email: string) {
+    const user = await this.findByEmailAndGetPassword(email);
+    if (!user) {
+      throw new HttpException(
+        'User with this id does not exist',
+        HttpStatus.NOT_FOUND,
+      );
+    }
+    return this.userRepository.update(
+      { email },
+      {
+        refreshToken: null,
+      },
+    );
+  }
 }