@boarteam/boar-pack-users-backend 6.0.2 → 6.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boarteam/boar-pack-users-backend",
-  "version": "6.0.2",
+  "version": "6.1.0",
   "description": "NestJS Users module including permissions system, authentication strategies etc",
   "main": "src/index",
   "files": [
@@ -14,7 +14,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@boarteam/boar-pack-common-backend": "^3.0.1",
+    "@boarteam/boar-pack-common-backend": "^3.1.0",
     "@casl/ability": "^6.7.3",
     "@dataui/crud": "^5.3.4",
     "@dataui/crud-typeorm": "^5.3.4",
@@ -32,6 +32,7 @@
     "lodash": "^4.17.21",
     "moment": "^2.30.1",
     "moment-timezone": "^0.5.47",
+    "ms": "^2.1.3",
     "nestjs-joi": "^1.10.1",
     "openapi-typescript-codegen": "^0.29.0",
     "passport": "^0.7.0",
@@ -49,6 +50,7 @@
   },
   "devDependencies": {
     "@types/bcrypt": "^5.0.2",
+    "@types/ms": "^2.1.0",
     "@types/passport-google-oauth20": "^2.0.16",
     "@types/passport-http-bearer": "^1.0.41",
     "@types/passport-jwt": "^4.0.1",
@@ -62,5 +64,5 @@
     "yalc:push": "yalc push",
     "gen-types": "SWAGGER=true JWT_SECRET=swagger nest start"
   },
-  "gitHead": "e34dd089e6c90e6466fba9d27c20dd121a2301ca"
+  "gitHead": "18738ad91a207f2961e7571eddc3b5a5c76430f2"
 }

package/src/auth/auth-manage.controller.ts

@@ -1,6 +1,5 @@
 import { Controller, NotFoundException, Param, Post, Req, Res, } from '@nestjs/common';
 import { AuthService } from './auth.service';
-import { tokenName } from './auth.constants';
 import { ApiTags } from '@nestjs/swagger';
 import type { Request, Response } from 'express';
 import { LocalAuthTokenDto } from "./local-auth/local-auth.dto";
@@ -29,8 +28,8 @@ export default class AuthManageController {
       throw new NotFoundException(`User with id ${userId} is not found`);
     }
 
-    const loginResult = await this.authService.login(user);
-    this.authService.setCookie(res, loginResult.accessToken);
-    return loginResult;
+    const tokens = await this.authService.login(user);
+    this.authService.setCookie(res, tokens);
+    return tokens;
   }
 }

package/src/auth/auth-strategies.constants.ts

@@ -1,5 +1,6 @@
 export const LOCAL_AUTH = 'local';
 export const JWT_AUTH = 'jwt';
+export const JWT_AUTH_REFRESH = 'jwt-refresh';
 export const GOOGLE_AUTH = 'google';
 export const MS_AUTH = 'azure-ad';
 

package/src/auth/auth.config.ts

@@ -0,0 +1,20 @@
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+
+export type TAuthConfig = {
+  refreshTokenPath: string;
+};
+
+@Injectable()
+export class AuthConfigService {
+  constructor(private configService: ConfigService) {
+  }
+
+  get config(): TAuthConfig {
+    const refreshTokenPath = this.configService.get<string>('REFRESH_TOKEN_PATH', '/api/auth/refresh');
+
+    return {
+      refreshTokenPath,
+    };
+  }
+}

package/src/auth/auth.constants.ts

@@ -1 +1,2 @@
 export const tokenName = 'auth_token';
+export const refreshTokenName = 'auth_refresh_token';

package/src/auth/auth.controller.ts

@@ -2,9 +2,10 @@ import { Controller, Post, Req, Res, UnauthorizedException, UseGuards } from '@n
 import { ApiTags } from '@nestjs/swagger';
 import type { Request, Response } from 'express';
 import { AuthService } from './auth.service';
-import { JwtAuthGuard } from '../jwt-auth/jwt-auth.guard';
+import { JwtAuthGuard, SkipJWTGuard } from '../jwt-auth/jwt-auth.guard';
 import { SkipPoliciesGuard } from '../casl/policies.guard';
 import { LocalAuthTokenDto } from "./local-auth/local-auth.dto";
+import { JwtAuthRefreshGuard } from "../jwt-auth/jwt-auth.refresh.guard";
 
 @SkipPoliciesGuard()
 @ApiTags('Authentication')
@@ -33,6 +34,21 @@ export default class AuthController {
       await this.authService.logout(req.jwt);
     }
 
-    this.authService.setCookie(res, '');
+    this.authService.clearCookies(res);
+  }
+
+  @SkipJWTGuard()
+  @UseGuards(JwtAuthRefreshGuard)
+  @Post('refresh')
+  async refresh(
+    @Req() req: Request,
+    @Res({ passthrough: true }) res: Response,
+  ): Promise<void> {
+    if (!req.user) {
+      throw new UnauthorizedException(`User is not authorized`);
+    }
+
+    const tokens = await this.authService.login(req.user);
+    this.authService.setCookie(res, tokens);
   }
 }

package/src/auth/auth.module.ts

@@ -19,6 +19,7 @@ import LocalAuthController from "./local-auth/local-auth.controller";
 import { YandexAuthStrategy } from "./yandex/yandex-auth.strategy";
 import { YandexAuthConfigService } from "./yandex/yandex-auth.config";
 import YandexAuthController from "./yandex/yandex-auth.controller";
+import { AuthConfigService } from "./auth.config";
 
 @Module({})
 export class AuthModule {
@@ -45,6 +46,7 @@ export class AuthModule {
       ],
       providers: [
         AuthService,
+        AuthConfigService,
         {
           provide: APP_GUARD,
           useClass: JwtAuthGuard,
@@ -102,6 +104,7 @@ export class AuthModule {
         }),
       ],
       providers: [
+        AuthConfigService,
         AuthService,
         {
           provide: APP_GUARD,

package/src/auth/auth.service.ts

@@ -1,10 +1,12 @@
 import { Injectable, Logger } from '@nestjs/common';
 import { TUser, UsersService } from '../users';
-import { JWTAuthService, TJWTPayload } from '../jwt-auth';
+import { JWTAuthService, TJWTPayload, TJWTRefreshPayload } from '../jwt-auth';
 import bcrypt from 'bcrypt';
 import { LocalAuthTokenDto } from "./local-auth/local-auth.dto";
 import { Response } from 'express';
-import { tokenName } from "./auth.constants";
+import { refreshTokenName, tokenName } from "./auth.constants";
+import { AuthConfigService, TAuthConfig } from "./auth.config";
+import { TOKEN_TYPE } from "../revoked-tokens";
 
 declare global {
   namespace Express {
@@ -18,11 +20,15 @@ declare global {
 @Injectable()
 export class AuthService {
   private readonly logger = new Logger(AuthService.name);
+  private readonly config: TAuthConfig;
 
   constructor(
     private usersService: UsersService,
     private jwtAuthService: JWTAuthService,
-  ) {}
+    private readonly authConfigService: AuthConfigService,
+  ) {
+    this.config = this.authConfigService.config;
+  }
 
   async validateUser(email: string, pass: string): Promise<TUser | null> {
     const user = await this.usersService.findByEmail(email);
@@ -52,27 +58,65 @@ export class AuthService {
   }
 
   async login(user: Pick<TUser, 'email' | 'id'>): Promise<LocalAuthTokenDto> {
-    const payload: TJWTPayload = { email: user.email, sub: user.id };
+    const sid = this.jwtAuthService.generateJwtId();
+    const payload: TJWTPayload = {
+      email: user.email,
+      sub: user.id,
+      sid,
+    };
+    const refreshPayload: TJWTRefreshPayload = {
+      sub: user.id,
+      sid,
+    }
     return {
-      accessToken: this.jwtAuthService.sign(payload),
+      accessToken: this.jwtAuthService.sign(payload, TOKEN_TYPE.ACCESS),
+      refreshToken: this.jwtAuthService.sign(refreshPayload, TOKEN_TYPE.REFRESH),
     };
   }
 
   async logout(jwt: TJWTPayload): Promise<void> {
     if (!jwt.jti || !jwt.exp) {
-      this.logger.warn('JWT does not have JTI or exp, cannot log out');
+      this.logger.warn('JWT does not have JTI or exp, cannot revoke it');
       return;
     }
 
-    await this.jwtAuthService.revokeToken(jwt.jti, new Date(jwt.exp * 1000));
+    await this.jwtAuthService.revokeToken({
+      jti: jwt.jti,
+      expiresAt: new Date(jwt.exp * 1000),
+      tokenType: TOKEN_TYPE.ACCESS,
+      sid: jwt.sid || null,
+    });
     this.logger.log(`User with id ${jwt.sub} has been logged out and token revoked`);
   }
 
-  public setCookie(res: Response, token: string): void {
-    res.cookie(tokenName, token, {
+  public setCookie(res: Response, tokens: LocalAuthTokenDto): void {
+    res.cookie(tokenName, tokens.accessToken.token, {
+      httpOnly: true,
+      secure: process.env.SECURE_COOKIE === 'true',
+      sameSite: 'lax',
+      maxAge: tokens.accessToken.payload.exp && Math.max((tokens.accessToken.payload.exp * 1000) - Date.now(), 0),
+    });
+
+    res.cookie(refreshTokenName, tokens.refreshToken.token, {
+      httpOnly: true,
+      secure: process.env.SECURE_COOKIE === 'true',
+      sameSite: 'lax',
+      maxAge: tokens.refreshToken.payload.exp && Math.max((tokens.refreshToken.payload.exp * 1000) - Date.now(), 0),
+      path: this.config.refreshTokenPath,
+    });
+  }
+
+  public clearCookies(res: Response): void {
+    res.clearCookie(tokenName, {
+      httpOnly: true,
+      secure: process.env.SECURE_COOKIE === 'true',
+      sameSite: 'lax',
+    });
+    res.clearCookie(refreshTokenName, {
       httpOnly: true,
       secure: process.env.SECURE_COOKIE === 'true',
       sameSite: 'lax',
+      path: this.config.refreshTokenPath,
     });
   }
 }

package/src/auth/google/google-auth.controller.ts

@@ -32,8 +32,8 @@ export default class GoogleAuthController {
       throw new UnauthorizedException(`User is not authorized`);
     }
 
-    const loginResult = await this.authService.login(req.user);
-    this.authService.setCookie(res, loginResult.accessToken);
+    const tokens = await this.authService.login(req.user);
+    this.authService.setCookie(res, tokens);
     res.redirect('/');
   }
 }

package/src/auth/local-auth/local-auth.controller.ts

@@ -26,8 +26,8 @@ export default class LocalAuthController {
     if (!req.user) {
       throw new UnauthorizedException(`User is not authorized`);
     }
-    const loginResult = await this.authService.login(req.user);
-    this.authService.setCookie(res, loginResult.accessToken);
-    return loginResult;
+    const tokens = await this.authService.login(req.user);
+    this.authService.setCookie(res, tokens);
+    return tokens;
   }
 }

package/src/auth/local-auth/local-auth.dto.ts

@@ -1,8 +1,17 @@
+import { TJWTPayload, TJWTRefreshPayload } from "../../jwt-auth";
+
 export class LocalAuthLoginDto {
   email: string;
   password: string;
 }
 
 export class LocalAuthTokenDto {
-  accessToken: string;
+  accessToken: {
+    token: string;
+    payload: TJWTPayload;
+  };
+  refreshToken: {
+    token: string;
+    payload: TJWTRefreshPayload;
+  }
 }

package/src/auth/microsoft/ms-auth.controller.ts

@@ -33,8 +33,8 @@ export default class MsAuthController {
       throw new UnauthorizedException(`User is not authorized`);
     }
 
-    const loginResult = await this.authService.login(req.user);
-    this.authService.setCookie(res, loginResult.accessToken);
+    const tokens = await this.authService.login(req.user);
+    this.authService.setCookie(res, tokens);
     res.redirect('/');
   }
 }

package/src/auth/yandex/yandex-auth.controller.ts

@@ -32,8 +32,8 @@ export default class YandexAuthController {
       throw new UnauthorizedException(`User is not authorized`);
     }
 
-    const loginResult = await this.authService.login(req.user);
-    this.authService.setCookie(res, loginResult.accessToken);
+    const tokens = await this.authService.login(req.user);
+    this.authService.setCookie(res, tokens);
     res.redirect('/');
   }
 }

package/src/jwt-auth/jwt-auth.config.ts

@@ -1,8 +1,11 @@
 import { Injectable } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
+import { StringValue } from "ms";
 
 export type TJWTAuthConfig = {
   jwtSecret: string;
+  accessTokenExpiration: StringValue;
+  refreshTokenExpiration: StringValue;
 };
 
 @Injectable()
@@ -11,14 +14,14 @@ export class JWTAuthConfigService {
   }
 
   get config(): TJWTAuthConfig {
-    const jwtSecret = this.configService.get<string>('JWT_SECRET');
-
-    if (!jwtSecret) {
-      throw new Error('JWT_SECRET is not defined');
-    }
+    const jwtSecret = this.configService.getOrThrow<string>('JWT_SECRET');
+    const accessTokenExpiration = this.configService.get<StringValue>('ACCESS_TOKEN_EXPIRATION', '1h');
+    const refreshTokenExpiration = this.configService.get<StringValue>('REFRESH_TOKEN_EXPIRATION', '7d');
 
     return {
       jwtSecret,
+      accessTokenExpiration,
+      refreshTokenExpiration,
     };
   }
 }

package/src/jwt-auth/jwt-auth.module.ts

@@ -9,6 +9,7 @@ import { JWTAuthConfigService } from "./jwt-auth.config";
 import { PassportModule } from "@nestjs/passport";
 import { JWTAuthService } from "./jwt-auth.service";
 import { RevokedTokensModule } from '../revoked-tokens';
+import { JwtAuthRefreshStrategy } from "./jwt-auth.refresh.srtategy";
 
 @Module({})
 export class JwtAuthModule {
@@ -38,6 +39,7 @@ export class JwtAuthModule {
       providers: [
         JWTAuthConfigService,
         JwtAuthStrategy,
+        JwtAuthRefreshStrategy,
         JWTAuthService,
         {
           provide: APP_GUARD,

package/src/jwt-auth/jwt-auth.refresh.guard.ts

@@ -0,0 +1,7 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { JWT_AUTH_REFRESH } from '../auth/auth-strategies.constants';
+
+@Injectable()
+export class JwtAuthRefreshGuard extends AuthGuard(JWT_AUTH_REFRESH) {
+}

package/src/jwt-auth/jwt-auth.refresh.srtategy.ts

@@ -0,0 +1,85 @@
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { PassportStrategy } from '@nestjs/passport';
+import { Injectable, Logger, UnauthorizedException } from '@nestjs/common';
+import { JWTAuthConfigService } from './jwt-auth.config';
+import { Request } from 'express';
+import { JWT_AUTH_REFRESH } from '../auth/auth-strategies.constants';
+import { refreshTokenName } from "../auth/auth.constants";
+import { UsersService } from '../users';
+import { RevokedTokensService, TOKEN_TYPE } from '../revoked-tokens';
+import { TJWTRefreshPayload } from "./jwt-auth.srtategy";
+import ms from "ms";
+
+@Injectable()
+export class JwtAuthRefreshStrategy extends PassportStrategy(Strategy, JWT_AUTH_REFRESH) {
+  private readonly logger = new Logger(JwtAuthRefreshStrategy.name);
+
+  constructor(
+    private usersService: UsersService,
+    private jwtAuthConfigService: JWTAuthConfigService,
+    private revokedTokensService: RevokedTokensService,
+  ) {
+    super({
+      jwtFromRequest: ExtractJwt.fromExtractors([
+        ExtractJwt.fromAuthHeaderAsBearerToken(),
+        (req: Request) => {
+          const cookies = req.headers.cookie?.split('; ');
+          if (!cookies) {
+            return null;
+          }
+
+          const cookie = cookies.find(c => c.startsWith(`${refreshTokenName}=`));
+          if (!cookie) {
+            return null;
+          }
+
+          return cookie.split('=')[1];
+        },
+      ]),
+      ignoreExpiration: false,
+      secretOrKey: jwtAuthConfigService.config.jwtSecret,
+      passReqToCallback: false,
+    });
+  }
+
+  async validate(payload: TJWTRefreshPayload) {
+    this.logger.debug(`Validating refresh token for user with id: ${payload.sub}`);
+
+    // Check if a token has been revoked
+    if (!payload.jti) {
+      this.logger.error('Refresh token payload does not contain JTI');
+      throw new UnauthorizedException('Invalid token payload');
+    }
+
+    const isRevoked = await this.revokedTokensService.isTokenRevoked(payload.jti, payload.sid);
+    if (isRevoked) {
+      this.logger.debug(`Refresh token with JTI ${payload.jti} has already been revoked`);
+      throw new UnauthorizedException('Token has been revoked');
+    } else {
+      // Refresh token is valid, we revoke it to prevent reuse
+      this.logger.debug(`Revoking refresh token with JTI ${payload.jti}`);
+      await this.revokedTokensService.revokeRefreshToken({
+        jti: payload.jti,
+        expiresAt: new Date(
+          payload.exp
+            ? payload.exp * 1000
+            : Date.now() + ms(this.jwtAuthConfigService.config.refreshTokenExpiration)
+        ),
+        sid: payload.sid || null,
+        tokenType: TOKEN_TYPE.REFRESH,
+      });
+    }
+
+    const userId = payload.sub;
+    const user = await this.usersService.findOne({
+      select: ['id', 'email', 'role', 'permissions'],
+      where: { id: userId },
+    });
+
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+
+    return user;
+  }
+}

package/src/jwt-auth/jwt-auth.service.ts

@@ -1,34 +1,59 @@
 import { Injectable } from "@nestjs/common";
 import { JwtService } from "@nestjs/jwt";
-import { TJWTPayload } from "./jwt-auth.srtategy";
-import { RevokedTokensService } from '../revoked-tokens';
+import { TJWTPayload, TJWTRefreshPayload } from "./jwt-auth.srtategy";
+import { RevokedToken, RevokedTokensService, TOKEN_TYPE, TRevokedToken } from '../revoked-tokens';
 import { v4 as uuidv4 } from 'uuid';
+import { JWTAuthConfigService, TJWTAuthConfig } from "./jwt-auth.config";
+import { JwtSignOptions } from "@nestjs/jwt/dist/interfaces";
+import ms from 'ms';
 
 @Injectable()
 export class JWTAuthService {
+  private readonly config: TJWTAuthConfig;
+
   constructor(
     private readonly jwtService: JwtService,
     private revokedTokensService: RevokedTokensService,
+    private readonly jwtAuthConfig: JWTAuthConfigService,
   ) {
+    this.config = this.jwtAuthConfig.config;
+  }
+
+  public generateJwtId(): string {
+    return uuidv4();
   }
 
-  sign(payload: TJWTPayload): string {
-    return this.jwtService.sign(payload, {
-      expiresIn: '1h',
-      jwtid: uuidv4(),
-    });
+  public sign<PayloadType extends TJWTPayload | TJWTRefreshPayload>(
+    payload: PayloadType,
+    tokenType: TOKEN_TYPE,
+  ) {
+    const expiresIn = tokenType === TOKEN_TYPE.ACCESS
+      ? this.config.accessTokenExpiration
+      : this.config.refreshTokenExpiration;
+    const options: JwtSignOptions = {
+      expiresIn,
+      jwtid: this.generateJwtId(),
+    }
+    return {
+      token: this.jwtService.sign(payload, options),
+      payload: {
+        ...payload,
+        exp: Math.floor((ms(expiresIn) + Date.now()) / 1000),
+        jti: options.jwtid,
+        sid: payload.sid,
+      } as PayloadType,
+    };
   }
 
-  decode<T = TJWTPayload>(token: string): T {
+  public decode<T = TJWTPayload>(token: string): T {
     return this.jwtService.decode(token) as T;
   }
 
   /**
    * Revoke a JWT token by its JTI
-   * @param jti The JWT token identifier
-   * @param expiresAt When the token naturally expires
+   * @param token The token to revoke
    */
-  async revokeToken(jti: string, expiresAt: Date) {
-    return this.revokedTokensService.revokeToken(jti, expiresAt);
+  public async revokeToken(token: TRevokedToken) {
+    return this.revokedTokensService.revokeToken(token, this.config.refreshTokenExpiration);
   }
 }

package/src/jwt-auth/jwt-auth.srtategy.ts

@@ -13,8 +13,17 @@ export type TJWTPayload = {
   iat?: string; // Issued At
   exp?: number; // Expiration Time
   jti?: string; // JWT ID, used for revocation
+  sid?: string; // Session ID to identify the family of tokens
 };
 
+export type TJWTRefreshPayload = {
+  sub: string; // User ID
+  jti?: string; // JWT ID, used for revocation
+  iat?: number; // Issued At
+  exp?: number; // Expiration Time
+  sid?: string; // Session ID to identify the family of tokens
+}
+
 @Injectable()
 export class JwtAuthStrategy extends PassportStrategy(Strategy, JWT_AUTH) {
   private readonly logger = new Logger(JwtAuthStrategy.name);
@@ -51,7 +60,7 @@ export class JwtAuthStrategy extends PassportStrategy(Strategy, JWT_AUTH) {
 
     // Check if a token has been revoked
     if (payload.jti) {
-      const isRevoked = await this.revokedTokensService.isTokenRevoked(payload.jti);
+      const isRevoked = await this.revokedTokensService.isTokenRevoked(payload.jti, payload.sid);
       if (isRevoked) {
         this.logger.debug(`Token with JTI ${payload.jti} has been revoked`);
         throw new UnauthorizedException('Token has been revoked');

package/src/revoked-tokens/entities/revoked-token.entity.ts

@@ -1,14 +1,38 @@
 import { Column, CreateDateColumn, Entity, Index, PrimaryGeneratedColumn } from 'typeorm';
 
+export enum TOKEN_TYPE {
+  ACCESS = 'access',
+  REFRESH = 'refresh',
+  SESSION = 'session',
+}
+
 @Entity('revoked_tokens')
+@Index('IDX_REVOKED_TOKEN_SID_TYPE', ['sid', 'tokenType'])
 export class RevokedToken {
   @PrimaryGeneratedColumn('uuid')
   id: string;
 
-  @Column({ unique: true })
+  @Column({
+    unique: true,
+    type: 'uuid',
+  })
   @Index('IDX_REVOKED_TOKEN_JTI')
   jti: string;
 
+  @Column({
+    type: 'uuid',
+    nullable: true,
+    default: null,
+  })
+  sid: string | null;
+
+  @Column({
+    type: 'enum',
+    enum: TOKEN_TYPE,
+    default: TOKEN_TYPE.ACCESS,
+  })
+  tokenType: TOKEN_TYPE;
+
   @Column({
     name: 'expires_at',
     type: 'timestamp with time zone',
@@ -22,3 +46,5 @@ export class RevokedToken {
   })
   createdAt: Date;
 }
+
+export type TRevokedToken = Omit<RevokedToken, 'id' | 'createdAt'>;

package/src/revoked-tokens/revoked-tokens.service.ts

@@ -1,7 +1,9 @@
 import { Injectable, Logger } from '@nestjs/common';
 import { Repository } from 'typeorm';
-import { RevokedToken } from './entities/revoked-token.entity';
+import { RevokedToken, TOKEN_TYPE, TRevokedToken } from './entities/revoked-token.entity';
 import { Cron, CronExpression } from "@nestjs/schedule";
+import ms, { StringValue } from "ms";
+import { FindOptionsWhere } from "typeorm/find-options/FindOptionsWhere";
 
 @Injectable()
 export class RevokedTokensService {
@@ -11,31 +13,59 @@ export class RevokedTokensService {
 
   /**
    * Revokes a JWT token by storing its JTI in the database
-   * @param jti The JWT token identifier
-   * @param expiresAt When the token naturally expires
+   * @param token The token to revoke, containing at least the JTI and expiration date
+   * @param refreshTokenExpiration The expiration time for the refresh token. We use it to set the expiration date of
+   * the session token.
    */
-  async revokeToken(jti: string, expiresAt: Date): Promise<void> {
-    await this.revokedTokenRepository
+  public async revokeToken(token: TRevokedToken, refreshTokenExpiration: StringValue): Promise<void> {
+    const tokens: TRevokedToken[] = [token];
+
+    if (token.sid) {
+      tokens.push({
+        jti: token.sid,
+        sid: token.sid,
+        expiresAt: new Date(Date.now() + ms(refreshTokenExpiration)),
+        tokenType: TOKEN_TYPE.SESSION,
+      });
+    }
+
+    await this.revokeTokens(tokens);
+  }
+
+  public async revokeRefreshToken(token: TRevokedToken): Promise<void> {
+    await this.revokeTokens([token]);
+  }
+
+  private revokeTokens(tokens: TRevokedToken[]): Promise<void> {
+    return this.revokedTokenRepository
       .createQueryBuilder()
       .insert()
       .into(RevokedToken)
-      .values({ jti, expiresAt })
+      .values(tokens)
       .orIgnore()
-      .execute();
-
-    this.logger.debug(`Token with JTI ${jti} has been revoked`);
+      .execute()
+      .then(() => {
+        this.logger.debug(`Tokens with JTI ${tokens.map(t => t.jti).join(', ')} have been revoked`);
+      });
   }
 
   /**
    * Checks if a token has been revoked
    * @param jti The JWT token identifier
+   * @param sid Optional session identifier, used for session tokens
    * @returns true if the token is revoked, false otherwise
    */
-  async isTokenRevoked(jti: string): Promise<boolean> {
-    const token = await this.revokedTokenRepository.findOne({
-      where: { jti },
+  public async isTokenRevoked(jti: string, sid?: string): Promise<boolean> {
+    const whereConditions: FindOptionsWhere<RevokedToken>[] = [{ jti }];
+
+    if (sid) {
+      whereConditions.push({ sid, tokenType: TOKEN_TYPE.SESSION });
+    }
+
+    const tokensCount = await this.revokedTokenRepository.count({
+      where: whereConditions,
     });
-    return !!token;
+    return tokensCount > 0;
   }
 
   @Cron(CronExpression.EVERY_HOUR)