Skip to content

Commit

Permalink
fixup! feat(api): use scope in refresh token
Browse files Browse the repository at this point in the history
  • Loading branch information
@bpetetot
bpetetot committed Sep 3, 2024
1 parent 0ef0289 commit 2e36796
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 18 deletions.
16 changes: 8 additions & 8 deletions api/src/identity-access-management/domain/services/refresh-token-service.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,18 @@ async function findByUserId(userId) {
* @typedef {function} createRefreshTokenFromUserId
* @param {Object} params
* @param {string} params.userId
* @param {string} params.scope
* @param {string} params.audience
* @param {string} params.source
* @param {function} params.uuidGenerator
* @return {Promise<string>}
*/
async function createRefreshTokenFromUserId({ userId, scope, source, uuidGenerator = randomUUID }) {
async function createRefreshTokenFromUserId({ userId, audience, source, uuidGenerator = randomUUID }) {
const expirationDelaySeconds = config.authentication.refreshTokenLifespanMs / 1000;
const refreshToken = [userId, scope, uuidGenerator()].filter(Boolean).join(':');
const refreshToken = [userId, audience, uuidGenerator()].filter(Boolean).join(':');

await refreshTokenTemporaryStorage.save({
key: refreshToken,
value: { type: 'refresh_token', userId, scope, source },
value: { type: 'refresh_token', userId, audience, source },
expirationDelaySeconds,
});
await userRefreshTokensTemporaryStorage.lpush({ key: userId, value: refreshToken });
Expand All @@ -57,12 +57,12 @@ async function createRefreshTokenFromUserId({ userId, scope, source, uuidGenerat
* @typedef {function} createAccessTokenFromRefreshToken
* @param {Object} params
* @param {string} params.refreshToken
* @param {string} params.scope
* @param {string} params.audience
* @return {Promise<{expirationDelaySeconds: number, accessToken: string}>}
*/
async function createAccessTokenFromRefreshToken({ refreshToken, scope: targetScope }) {
const { userId, source, scope } = (await findByRefreshToken(refreshToken)) || {};
if (scope && scope !== targetScope) {
async function createAccessTokenFromRefreshToken({ refreshToken, audience: targetAudience }) {
const { userId, source, audience } = (await findByRefreshToken(refreshToken)) || {};
if (audience && audience !== targetAudience) {
throw new UnauthorizedError('Refresh token is invalid', 'INVALID_REFRESH_TOKEN');
}
if (!userId) throw new UnauthorizedError('Refresh token is invalid', 'INVALID_REFRESH_TOKEN');
Expand Down
20 changes: 10 additions & 10 deletions ...ests/identity-access-management/integration/domain/services/refresh-token-service.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,25 +14,25 @@ describe('Integration | Identity Access Management | Domain | Service | refresh-
// given
const userId = '123';
const source = 'APP';
const scope = 'pix-orga';
const audience = 'app.pix.fr';
const uuidGenerator = () => 'XXX-123-456';

// when
const refreshToken = await refreshTokenService.createRefreshTokenFromUserId({
userId,
source,
scope,
audience,
uuidGenerator,
});

// then
expect(refreshToken).to.equal('123:pix-orga:XXX-123-456');
expect(refreshToken).to.equal('123:app.pix.fr:XXX-123-456');

const refreshTokenInDb = await refreshTokenService.findByRefreshToken(refreshToken);
expect(refreshTokenInDb).to.deep.equal({ type: 'refresh_token', source, scope, userId });
expect(refreshTokenInDb).to.deep.equal({ type: 'refresh_token', source, audience, userId });

const refreshTokensInDb = await refreshTokenService.findByUserId(userId);
expect(refreshTokensInDb).to.deep.equal(['123:pix-orga:XXX-123-456']);
expect(refreshTokensInDb).to.deep.equal(['123:app.pix.fr:XXX-123-456']);
});
});

Expand Down Expand Up @@ -64,17 +64,17 @@ describe('Integration | Identity Access Management | Domain | Service | refresh-
// given
const userId = '123';
const source = 'APP';
const scope = 'pix-orga';
const audience = 'app.pix.fr';
const uuidGenerator = () => 'XXX-123-456';
const refreshToken = await refreshTokenService.createRefreshTokenFromUserId({
userId,
source,
scope,
audience,
uuidGenerator,
});

// when
const { accessToken } = await refreshTokenService.createAccessTokenFromRefreshToken({ refreshToken, scope });
const { accessToken } = await refreshTokenService.createAccessTokenFromRefreshToken({ refreshToken, audience });

// then
expect(accessToken).to.be.a.string;
Expand All @@ -85,13 +85,13 @@ describe('Integration | Identity Access Management | Domain | Service | refresh-
// given
const userId = '123';
const source = 'APP';
const scope = 'pix-orga';
const audience = 'app.pix.fr';
const differentScope = 'pix-admin';
const uuidGenerator = () => 'XXX-123-456';
const refreshToken = await refreshTokenService.createRefreshTokenFromUserId({
userId,
source,
scope,
audience,
uuidGenerator,
});

Expand Down

0 comments on commit 2e36796

Please sign in to comment.