authenik8-core 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/dist/auth/refreshService.d.ts +3 -0
- package/dist/auth/refreshService.d.ts.map +1 -1
- package/dist/auth/refreshService.js +33 -12
- package/dist/auth/refreshService.js.map +1 -1
- package/dist/createAuthenik8.d.ts.map +1 -1
- package/dist/createAuthenik8.js +1 -0
- package/dist/createAuthenik8.js.map +1 -1
- package/dist/storage/RedisTokenStore.d.ts +5 -4
- package/dist/storage/RedisTokenStore.d.ts.map +1 -1
- package/dist/storage/RedisTokenStore.js +17 -9
- package/dist/storage/RedisTokenStore.js.map +1 -1
- package/dist/tests/con.test.d.ts +2 -0
- package/dist/tests/con.test.d.ts.map +1 -0
- package/dist/tests/con.test.js +71 -0
- package/dist/tests/con.test.js.map +1 -0
- package/dist/utility/lockHelper.d.ts +7 -0
- package/dist/utility/lockHelper.d.ts.map +1 -0
- package/dist/utility/lockHelper.js +28 -0
- package/dist/utility/lockHelper.js.map +1 -0
- package/dump.rdb +0 -0
- package/package.json +3 -2
- package/src/auth/refreshService.ts +34 -11
- package/src/createAuthenik8.ts +1 -0
- package/src/storage/RedisTokenStore.ts +20 -9
- package/src/tests/con.test.ts +76 -0
- package/src/tests/dump.rdb +0 -0
- package/src/utility/lockHelper.ts +33 -0
- package/.env +0 -2
package/CHANGELOG.md
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
## [0.1.2] - 2026-03-22
|
|
4
|
+
### Fixed
|
|
5
|
+
- Patched a vulnerability allowing reuse of old refresh tokens.
|
|
6
|
+
- Refresh token rotation now uses Redis locks to prevent concurrent refresh exploits.
|
|
7
|
+
- Concurrent refresh requests are handled safely, ensuring only one succeeds.
|
|
@@ -13,10 +13,12 @@ export interface TokenStore {
|
|
|
13
13
|
get(key: string): Promise<string | null>;
|
|
14
14
|
set?(key: string, value: string, expiry?: number): Promise<void>;
|
|
15
15
|
del?(key: string): Promise<void>;
|
|
16
|
+
getset?(key: string, value: string, expiry?: number): Promise<string | null>;
|
|
16
17
|
}
|
|
17
18
|
export interface RefreshServiceOptions {
|
|
18
19
|
tokenStore: TokenStore;
|
|
19
20
|
accessTokenSecret: string;
|
|
21
|
+
redisClient: any;
|
|
20
22
|
refreshTokenSecret: string;
|
|
21
23
|
accessTokenExpiry: SignOptions["expiresIn"];
|
|
22
24
|
rotateRefreshTokens?: boolean;
|
|
@@ -33,6 +35,7 @@ export declare class RefreshService {
|
|
|
33
35
|
private accessTokenExpiry;
|
|
34
36
|
private rotateRefreshTokens;
|
|
35
37
|
private refreshTokenExpiry;
|
|
38
|
+
private lock;
|
|
36
39
|
constructor(options: RefreshServiceOptions);
|
|
37
40
|
generateRefreshToken(payload: TokenPayload): Promise<string>;
|
|
38
41
|
refresh(refreshToken?: string): Promise<RefreshResult>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refreshService.d.ts","sourceRoot":"","sources":["../../src/auth/refreshService.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAI3C,qBAAa,iBAAkB,SAAQ,KAAK;gBAChC,OAAO,SAAgB;CAKlC;AAED,qBAAa,iBAAkB,SAC/B,KAAK;gBACO,OAAO,SAA0B;CAI5C;AAGD,UAAU,YAAY;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACb;AAGD,MAAM,WAAW,UAAU;IAC3B,GAAG,CAAC,GAAG,EAAC,MAAM,GAAE,OAAO,CAAC,MAAM,GAAE,IAAI,CAAC,CAAC;IACtC,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAC,MAAM,GAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/D,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,GAAE,OAAO,CAAC,IAAI,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"refreshService.d.ts","sourceRoot":"","sources":["../../src/auth/refreshService.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAI3C,qBAAa,iBAAkB,SAAQ,KAAK;gBAChC,OAAO,SAAgB;CAKlC;AAED,qBAAa,iBAAkB,SAC/B,KAAK;gBACO,OAAO,SAA0B;CAI5C;AAGD,UAAU,YAAY;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACb;AAGD,MAAM,WAAW,UAAU;IAC3B,GAAG,CAAC,GAAG,EAAC,MAAM,GAAE,OAAO,CAAC,MAAM,GAAE,IAAI,CAAC,CAAC;IACtC,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAC,MAAM,GAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/D,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,GAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,MAAM,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAC5E;AAGD,MAAM,WAAW,qBAAqB;IACrC,UAAU,EAAC,UAAU,CAAC;IACtB,iBAAiB,EAAC,MAAM,CAAC;IACzB,WAAW,EAAC,GAAG,CAAC;IAChB,kBAAkB,EAAC,MAAM,CAAC;IAC1B,iBAAiB,EAAC,WAAW,CAAC,WAAW,CAAC,CAAC;IAC3C,mBAAmB,CAAC,EAAC,OAAO,CAAC;IAC7B,kBAAkB,CAAC,EAAC,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC9B,WAAW,EAAC,MAAM,CAAC;IACnB,YAAY,CAAC,EAAC,MAAM,CAAC;CACpB;AAGD,qBAAa,cAAc;IAC3B,OAAO,CAAC,UAAU,CAAY;IAC9B,OAAO,CAAC,iBAAiB,CAAQ;IACjC,OAAO,CAAC,kBAAkB,CAAQ;IAClC,OAAO,CAAC,iBAAiB,CAA0B;IACnD,OAAO,CAAC,mBAAmB,CAAS;IACpC,OAAO,CAAC,kBAAkB,CAAQ;IAClC,OAAO,CAAC,IAAI,CAAW;gBAEX,OAAO,EAAC,qBAAqB;IAWlC,oBAAoB,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5D,OAAO,CAAC,YAAY,CAAC,EAAC,MAAM,GAAE,OAAO,CAAC,aAAa,CAAC;CAgE1D"}
|
|
@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
exports.RefreshService = exports.InvalidTokenError = exports.MissingTokenError = void 0;
|
|
7
7
|
const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
|
|
8
8
|
const crypto_1 = require("crypto");
|
|
9
|
+
const lockHelper_1 = require("../utility/lockHelper");
|
|
9
10
|
class MissingTokenError extends Error {
|
|
10
11
|
constructor(message = "Missing Token") {
|
|
11
12
|
super(message);
|
|
@@ -29,6 +30,7 @@ class RefreshService {
|
|
|
29
30
|
this.accessTokenExpiry = (_a = options.accessTokenExpiry) !== null && _a !== void 0 ? _a : "15m";
|
|
30
31
|
this.rotateRefreshTokens = (_b = options.rotateRefreshTokens) !== null && _b !== void 0 ? _b : false;
|
|
31
32
|
this.refreshTokenExpiry = (_c = options.refreshTokenExpiry) !== null && _c !== void 0 ? _c : "7d";
|
|
33
|
+
this.lock = new lockHelper_1.RedisLock(options.redisClient);
|
|
32
34
|
}
|
|
33
35
|
async generateRefreshToken(payload) {
|
|
34
36
|
if (!payload.userId)
|
|
@@ -52,21 +54,40 @@ class RefreshService {
|
|
|
52
54
|
catch (err) {
|
|
53
55
|
throw new InvalidTokenError();
|
|
54
56
|
}
|
|
55
|
-
const
|
|
56
|
-
|
|
57
|
-
|
|
57
|
+
const lockKey = `lock:${decoded.userId}`;
|
|
58
|
+
const lockValue = await this.lock.acquire(lockKey, 5000);
|
|
59
|
+
if (!lockValue) {
|
|
60
|
+
throw new InvalidTokenError("Concurrent refresh detected");
|
|
58
61
|
}
|
|
59
|
-
const
|
|
60
|
-
|
|
61
|
-
if (this.rotateRefreshTokens && this.tokenStore.set) {
|
|
62
|
+
//const storedToken= await this.tokenStore.get(`refresh:${decoded.userId}`)
|
|
63
|
+
try {
|
|
62
64
|
const key = `refresh:${decoded.userId}`;
|
|
63
|
-
|
|
64
|
-
|
|
65
|
+
const storedToken = await this.tokenStore.get(key);
|
|
66
|
+
if (!storedToken || storedToken !== refreshToken) {
|
|
67
|
+
throw new InvalidTokenError();
|
|
68
|
+
}
|
|
69
|
+
const newAccessToken = jsonwebtoken_1.default.sign({ userId: decoded.userId, email: decoded.email }, this.accessTokenSecret, { expiresIn: this.accessTokenExpiry });
|
|
70
|
+
let newRefreshToken;
|
|
71
|
+
if (this.rotateRefreshTokens && this.tokenStore.set) {
|
|
72
|
+
const key = `refresh:${decoded.userId}`;
|
|
73
|
+
newRefreshToken = jsonwebtoken_1.default.sign({ userId: decoded.userId, email: decoded.email, jti: (0, crypto_1.randomUUID)(), }, this.refreshTokenSecret, { expiresIn: this.refreshTokenExpiry });
|
|
74
|
+
if (!this.tokenStore.getset) {
|
|
75
|
+
throw new Error("TokenStore must implement getset for atomic refresh rotation");
|
|
76
|
+
}
|
|
77
|
+
const PreviousToken = await this.tokenStore.getset(key, newRefreshToken, 60 * 60 * 24 * 7);
|
|
78
|
+
if (PreviousToken !== refreshToken) {
|
|
79
|
+
throw new InvalidTokenError("Concurrent refresh detected");
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
return {
|
|
83
|
+
accessToken: newAccessToken,
|
|
84
|
+
refreshToken: newRefreshToken !== null && newRefreshToken !== void 0 ? newRefreshToken : refreshToken
|
|
85
|
+
};
|
|
86
|
+
}
|
|
87
|
+
finally {
|
|
88
|
+
if (lockValue)
|
|
89
|
+
await this.lock.release(lockKey, lockValue);
|
|
65
90
|
}
|
|
66
|
-
return {
|
|
67
|
-
accessToken: newAccessToken,
|
|
68
|
-
refreshToken: newRefreshToken !== null && newRefreshToken !== void 0 ? newRefreshToken : refreshToken
|
|
69
|
-
};
|
|
70
91
|
}
|
|
71
92
|
}
|
|
72
93
|
exports.RefreshService = RefreshService;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refreshService.js","sourceRoot":"","sources":["../../src/auth/refreshService.ts"],"names":[],"mappings":";;;;;;AAAA,gEAA+B;AAE/B,mCAAiC;
|
|
1
|
+
{"version":3,"file":"refreshService.js","sourceRoot":"","sources":["../../src/auth/refreshService.ts"],"names":[],"mappings":";;;;;;AAAA,gEAA+B;AAE/B,mCAAiC;AACjC,sDAA+C;AAE/C,MAAa,iBAAkB,SAAQ,KAAK;IAC5C,YAAY,OAAO,GAAC,eAAe;QAEnC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAE,mBAAmB,CAAC;IAC/B,CAAC;CACA;AAND,8CAMC;AAED,MAAa,iBAAkB,SAC/B,KAAK;IACL,YAAY,OAAO,GAAG,uBAAuB;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAChC,CAAC;CACA;AAND,8CAMC;AAiCD,MAAa,cAAc;IAS3B,YAAY,OAA6B;;QACzC,IAAI,CAAC,UAAU,GAAI,OAAO,CAAC,UAAU,CAAC;QACtC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACnD,IAAI,CAAC,kBAAkB,GAAE,OAAO,CAAC,kBAAkB,CAAC;QACpD,IAAI,CAAC,iBAAiB,GAAE,MAAA,OAAO,CAAC,iBAAiB,mCAAI,KAAK,CAAC;QAC3D,IAAI,CAAC,mBAAmB,GAAG,MAAA,OAAO,CAAC,mBAAmB,mCAAI,KAAK,CAAC;QAChE,IAAI,CAAC,kBAAkB,GAAG,MAAA,OAAO,CAAC,kBAAkB,mCAAI,IAAI,CAAA;QAC5D,IAAI,CAAC,IAAI,GAAG,IAAI,sBAAS,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;IAC7C,CAAC;IAGD,KAAK,CAAC,oBAAoB,CAAC,OAAqB;QAE/C,IAAI,CAAC,OAAO,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QAExF,MAAM,KAAK,GAAG,sBAAG,CAAC,IAAI,CAAC,EAAC,GAAG,OAAO,EAAC,GAAG,EAAC,IAAA,mBAAU,GAAE,GAAE,EAAC,IAAI,CAAC,kBAAkB,EAAE;YAC7E,SAAS,EAAE,IAAI,CAAC,kBAA8C;SAC/D,CAAC,CAAC;QAEH,IAAG,IAAI,CAAC,UAAU,CAAC,GAAG,EAAC,CAAC;YACxB,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CACzB,WAAW,OAAO,CAAC,MAAM,EAAE,EAAC,KAAK,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAClD,CAAC;QACF,CAAC;QAGD,OAAO,KAAK,CAAA;IACd,CAAC;IAGA,KAAK,CAAC,OAAO,CAAC,YAAoB;QACjC,IAAG,CAAC,YAAY,EAAC,CAAC;YAClB,MAAM,IAAI,iBAAiB,EAAE,CAAA;QAC7B,CAAC;QAED,IAAI,OAAoB,CAAC;QAC3B,IAAG,CAAC;YAEJ,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,YAAY,EAAC,IAAI,CAAC,kBAAkB,CAAiB,CAAC;QAC3E,CAAC;QAAA,OAAM,GAAG,EAAC,CAAC;YACZ,MAAM,IAAI,iBAAiB,EAAE,CAAA;QAC7B,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QACvC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAEzD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,iBAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QAEH,2EAA2E;QAE3E,IAAG,CAAC;YACJ,MAAM,GAAG,GAAG,WAAW,OAAO,CAAC,MAAM,EAAE,CAAC;YACxC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAGnD,IAAI,CAAC,WAAW,IAAI,WAAW,KAAK,YAAY,EAAC,CAAC;gBAClD,MAAM,IAAI,iBAAiB,EAAE,CAAC;YAC9B,CAAC;YAED,MAAM,cAAc,GAAG,sBAAG,CAAC,IAAI,CACvB,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAChD,IAAI,CAAC,iBAAiB,EACtB,EAAE,SAAS,EAAE,IAAI,CAAC,iBAAiD,EAAE,CACxE,CAAC;YAEN,IAAI,eAAkC,CAAC;YAEvC,IAAG,IAAI,CAAC,mBAAmB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,EAAC,CAAC;gBACpD,MAAM,GAAG,GAAG,WAAW,OAAO,CAAC,MAAM,EAAE,CAEtC;gBACA,eAAe,GAAE,sBAAG,CAAC,IAAI,CAAC,EAAC,MAAM,EAAC,OAAO,CAAC,MAAM,EAAC,KAAK,EAAG,OAAO,CAAC,KAAK,EAAC,GAAG,EAAC,IAAA,mBAAU,GAAE,GAAE,EACzF,IAAI,CAAC,kBAAkB,EACxB,EAAC,SAAS,EAAC,IAAI,CAAC,kBAAkD,EAAC,CAAC,CAAC;gBAErE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;oBAC5B,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;gBAClF,CAAC;gBACD,MAAM,aAAa,GAAE,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,EAAC,eAAe,EAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAA;gBACvF,IAAG,aAAa,KAAK,YAAY,EAAC,CAAC;oBACnC,MAAM,IAAI,iBAAiB,CAAC,6BAA6B,CAAC,CAAA;gBAAA,CAAC;YAC3D,CAAC;YAEA,OAAM;gBACN,WAAW,EAAC,cAAc;gBAC1B,YAAY,EAAC,eAAe,aAAf,eAAe,cAAf,eAAe,GAAI,YAAY;aAC3C,CAAC;QACH,CAAC;gBAAQ,CAAC;YACN,IAAI,SAAS;gBAAE,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;CAEA;AAvGD,wCAuGC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createAuthenik8.d.ts","sourceRoot":"","sources":["../src/createAuthenik8.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,eAAe,EAAC,MAAM,gBAAgB,CAAC;AAK/C,OAAO,EAAC,iBAAiB,EAAC,MAAM,gBAAgB,CAAA;AAGhD,eAAO,MAAM,eAAe,GAAU,QAAO,eAAe,KAAG,OAAO,CAAC,iBAAiB,
|
|
1
|
+
{"version":3,"file":"createAuthenik8.d.ts","sourceRoot":"","sources":["../src/createAuthenik8.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,eAAe,EAAC,MAAM,gBAAgB,CAAC;AAK/C,OAAO,EAAC,iBAAiB,EAAC,MAAM,gBAAgB,CAAA;AAGhD,eAAO,MAAM,eAAe,GAAU,QAAO,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAwDvF,CAAA"}
|
package/dist/createAuthenik8.js
CHANGED
|
@@ -19,6 +19,7 @@ const createAuthenik8 = async (config) => {
|
|
|
19
19
|
});
|
|
20
20
|
const refreshService = new refreshService_1.RefreshService({
|
|
21
21
|
tokenStore,
|
|
22
|
+
redisClient,
|
|
22
23
|
accessTokenSecret: config.jwtSecret,
|
|
23
24
|
refreshTokenSecret: config.refreshSecret,
|
|
24
25
|
accessTokenExpiry: config.jwtExpiry,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createAuthenik8.js","sourceRoot":"","sources":["../src/createAuthenik8.ts"],"names":[],"mappings":";;;AAAA,oDAAoD;AACpD,0DAAsD;AAEtD,8DAAkD;AAClD,4DAAuD;AACvD,4CAAyC;AACzC,uDAA4D;AAE5D,+DAAyD;AAElD,MAAM,eAAe,GAAG,KAAK,EAAE,MAAsB,EAA8B,EAAE;;IAE5F,MAAM,WAAW,GAAG,MAAA,MAAM,CAAC,KAAK,mCAAI,MAAM,IAAA,oCAAqB,GAAE,CAAA;IACjE,MAAM,UAAU,GAAG,IAAI,iCAAe,CAAC,WAAW,CAAC,CAAC;IAEnD,MAAM,UAAU,GAAE,IAAI,oBAAU,CAAC;QACjC,SAAS,EAAC,MAAM,CAAC,SAAS;QAC1B,MAAM,EAAC,MAAM,CAAC,SAAS;QACvB,WAAW,EAAC,WAAW;KACtB,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,IAAI,+BAAc,CAAC;QAC1C,UAAU;QACV,iBAAiB,EAAC,MAAM,CAAC,SAAS;QAClC,kBAAkB,EAAC,MAAM,CAAC,aAAa;QACvC,iBAAiB,EAAC,MAAM,CAAC,SAAS;QAClC,mBAAmB,EAAC,IAAI;KACvB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,0BAAc,CAAC;QACpC,WAAW,EAAC,MAAM,CAAC,KAAK;QACxB,kBAAkB,EAAE,IAAI;QACxB,aAAa,EAAC,IAAI;QAClB,gBAAgB,EAAC,IAAI;KACpB,CAAC,CAAC;IACJ,OAAM;QACL,MAAM;QACN,KAAK,EAAC,WAAW;QACjB,SAAS,EAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC;QAC/C,WAAW,EAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;QACnD,UAAU,EAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC;QAEjD,SAAS;QACT,YAAY,EACX,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC;QAC5C,oBAAoB,EAAE,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,cAAc,CAAC;QAC/E,UAAU;QACP,SAAS,EAAE,QAAQ,CAAC,qBAAqB,EAAE;QAC1C,WAAW,EAAE,QAAQ,CAAC,mBAAmB,EAAE;QAC3C,MAAM,EAAE,QAAQ,CAAC,gBAAgB,EAAE;QAEnC,sBAAsB;QACtB,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;QACpC,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC1C,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAG3C,YAAY;QACb,YAAY,EAAE,IAAA,2BAAY,EAAC,EAAE,SAAS,EACrC,MAAM,CAAC,SAAS;YACX,KAAK,EAAC,WAAW;SACtB,CAAC;QACF,SAAS,EAAC,4BAAS;KAElB,CAAA;AACD,CAAC,CAAA;
|
|
1
|
+
{"version":3,"file":"createAuthenik8.js","sourceRoot":"","sources":["../src/createAuthenik8.ts"],"names":[],"mappings":";;;AAAA,oDAAoD;AACpD,0DAAsD;AAEtD,8DAAkD;AAClD,4DAAuD;AACvD,4CAAyC;AACzC,uDAA4D;AAE5D,+DAAyD;AAElD,MAAM,eAAe,GAAG,KAAK,EAAE,MAAsB,EAA8B,EAAE;;IAE5F,MAAM,WAAW,GAAG,MAAA,MAAM,CAAC,KAAK,mCAAI,MAAM,IAAA,oCAAqB,GAAE,CAAA;IACjE,MAAM,UAAU,GAAG,IAAI,iCAAe,CAAC,WAAW,CAAC,CAAC;IAEnD,MAAM,UAAU,GAAE,IAAI,oBAAU,CAAC;QACjC,SAAS,EAAC,MAAM,CAAC,SAAS;QAC1B,MAAM,EAAC,MAAM,CAAC,SAAS;QACvB,WAAW,EAAC,WAAW;KACtB,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,IAAI,+BAAc,CAAC;QAC1C,UAAU;QACV,WAAW;QACX,iBAAiB,EAAC,MAAM,CAAC,SAAS;QAClC,kBAAkB,EAAC,MAAM,CAAC,aAAa;QACvC,iBAAiB,EAAC,MAAM,CAAC,SAAS;QAClC,mBAAmB,EAAC,IAAI;KACvB,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,0BAAc,CAAC;QACpC,WAAW,EAAC,MAAM,CAAC,KAAK;QACxB,kBAAkB,EAAE,IAAI;QACxB,aAAa,EAAC,IAAI;QAClB,gBAAgB,EAAC,IAAI;KACpB,CAAC,CAAC;IACJ,OAAM;QACL,MAAM;QACN,KAAK,EAAC,WAAW;QACjB,SAAS,EAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC;QAC/C,WAAW,EAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;QACnD,UAAU,EAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC;QAEjD,SAAS;QACT,YAAY,EACX,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC;QAC5C,oBAAoB,EAAE,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,cAAc,CAAC;QAC/E,UAAU;QACP,SAAS,EAAE,QAAQ,CAAC,qBAAqB,EAAE;QAC1C,WAAW,EAAE,QAAQ,CAAC,mBAAmB,EAAE;QAC3C,MAAM,EAAE,QAAQ,CAAC,gBAAgB,EAAE;QAEnC,sBAAsB;QACtB,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;QACpC,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC1C,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAG3C,YAAY;QACb,YAAY,EAAE,IAAA,2BAAY,EAAC,EAAE,SAAS,EACrC,MAAM,CAAC,SAAS;YACX,KAAK,EAAC,WAAW;SACtB,CAAC;QACF,SAAS,EAAC,4BAAS;KAElB,CAAA;AACD,CAAC,CAAA;AAxDY,QAAA,eAAe,mBAwD3B"}
|
|
@@ -7,10 +7,11 @@ export declare class RedisTokenStore {
|
|
|
7
7
|
private key;
|
|
8
8
|
private log;
|
|
9
9
|
storeRefreshToken(token: string, userId: string, ttl: number): Promise<void>;
|
|
10
|
-
getRefreshToken(
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
10
|
+
getRefreshToken(userId: string): Promise<string | null>;
|
|
11
|
+
getset(key: string, value: string, expiry?: number): Promise<string | null>;
|
|
12
|
+
deleteRefreshToken(userId: string): Promise<void>;
|
|
13
|
+
blacklistToken(userId: string, ttl: number): Promise<void>;
|
|
14
|
+
isBlacklisted(userId: string): Promise<boolean>;
|
|
14
15
|
incrementRateLimit(ip: string, ttl: number): Promise<number>;
|
|
15
16
|
addToWhitelist(ip: string): Promise<void>;
|
|
16
17
|
removeFromWhitelist(ip: string): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"RedisTokenStore.d.ts","sourceRoot":"","sources":["../../src/storage/RedisTokenStore.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC,qBAAa,eAAe;IAGd,OAAO,CAAC,KAAK;IAAQ,OAAO,CAAC,KAAK;IAF/C,OAAO,CAAC,MAAM,CAAa;gBAEN,KAAK,EAAE,KAAK,EAAS,KAAK,UAAQ;IAGtD,OAAO,CAAC,GAAG;IAIb,OAAO,CAAC,GAAG;IAKJ,iBAAiB,CAAC,KAAK,EAAC,MAAM,EAAC,MAAM,EAAC,MAAM,EAAC,GAAG,EAAC,MAAM;IAOxD,eAAe,CAAC,
|
|
1
|
+
{"version":3,"file":"RedisTokenStore.d.ts","sourceRoot":"","sources":["../../src/storage/RedisTokenStore.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC,qBAAa,eAAe;IAGd,OAAO,CAAC,KAAK;IAAQ,OAAO,CAAC,KAAK;IAF/C,OAAO,CAAC,MAAM,CAAa;gBAEN,KAAK,EAAE,KAAK,EAAS,KAAK,UAAQ;IAGtD,OAAO,CAAC,GAAG;IAIb,OAAO,CAAC,GAAG;IAKJ,iBAAiB,CAAC,KAAK,EAAC,MAAM,EAAC,MAAM,EAAC,MAAM,EAAC,GAAG,EAAC,MAAM;IAOxD,eAAe,CAAC,MAAM,EAAC,MAAM;IAM7B,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAY3E,kBAAkB,CAAC,MAAM,EAAC,MAAM;IAOhC,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM;IAMxC,aAAa,CAAC,MAAM,EAAE,MAAM;IAQ5B,kBAAkB,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM;IAa1C,cAAc,CAAC,EAAE,EAAE,MAAM;IAMzB,mBAAmB,CAAC,EAAE,EAAE,MAAM;IAM9B,aAAa,CAAC,EAAE,EAAE,MAAM;IAM1B,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAW7D,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CAG/C"}
|
|
@@ -16,28 +16,36 @@ class RedisTokenStore {
|
|
|
16
16
|
}
|
|
17
17
|
}
|
|
18
18
|
async storeRefreshToken(token, userId, ttl) {
|
|
19
|
-
const key = this.key("refresh",
|
|
19
|
+
const key = this.key("refresh", userId);
|
|
20
20
|
await this.redis.set(key, userId, "EX", ttl);
|
|
21
21
|
this.log("SET", key, userId);
|
|
22
22
|
}
|
|
23
|
-
async getRefreshToken(
|
|
24
|
-
const key = this.key("refresh",
|
|
23
|
+
async getRefreshToken(userId) {
|
|
24
|
+
const key = this.key("refresh", userId);
|
|
25
25
|
const value = await this.redis.get(key);
|
|
26
26
|
this.log("GET", key, value);
|
|
27
27
|
return value;
|
|
28
28
|
}
|
|
29
|
-
async
|
|
30
|
-
const
|
|
29
|
+
async getset(key, value, expiry) {
|
|
30
|
+
const previous = await this.redis.getset(key, value);
|
|
31
|
+
if (expiry) {
|
|
32
|
+
await this.redis.expire(key, expiry);
|
|
33
|
+
}
|
|
34
|
+
this.log("GETSET", key, { previous, new: value });
|
|
35
|
+
return previous;
|
|
36
|
+
}
|
|
37
|
+
async deleteRefreshToken(userId) {
|
|
38
|
+
const key = this.key("refresh", userId);
|
|
31
39
|
await this.redis.del(key);
|
|
32
40
|
this.log("DEL", key);
|
|
33
41
|
}
|
|
34
|
-
async blacklistToken(
|
|
35
|
-
const key = this.key("blacklist",
|
|
42
|
+
async blacklistToken(userId, ttl) {
|
|
43
|
+
const key = this.key("blacklist", userId);
|
|
36
44
|
await this.redis.set(key, "1", "EX", ttl);
|
|
37
45
|
this.log("SET", key, "blacklisted");
|
|
38
46
|
}
|
|
39
|
-
async isBlacklisted(
|
|
40
|
-
const key = this.key("blacklist",
|
|
47
|
+
async isBlacklisted(userId) {
|
|
48
|
+
const key = this.key("blacklist", userId);
|
|
41
49
|
const exists = await this.redis.exists(key);
|
|
42
50
|
this.log("CHECK", key, exists);
|
|
43
51
|
return exists === 1;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"RedisTokenStore.js","sourceRoot":"","sources":["../../src/storage/RedisTokenStore.ts"],"names":[],"mappings":";;;AAGA,MAAa,eAAe;IAG1B,YAAoB,KAAY,EAAS,QAAQ,KAAK;QAAlC,UAAK,GAAL,KAAK,CAAO;QAAS,UAAK,GAAL,KAAK,CAAQ;QAF/C,WAAM,GAAG,SAAS,CAAC;IAE+B,CAAC;IAGlD,GAAG,CAAC,GAAG,KAAc;QAC7B,OAAO,GAAG,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAC3C,CAAC;IAEK,GAAG,CAAC,MAAa,EAAC,GAAU,EAAE,KAAU;QAChD,IAAI,IAAI,CAAC,KAAK,EAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,GAAG,EAAC,EAAC,GAAG,EAAE,KAAK,EAAC,CAAC,CAAA;QAC5C,CAAC;IACF,CAAC;IACA,KAAK,CAAC,iBAAiB,CAAC,KAAY,EAAC,MAAa,EAAC,GAAU;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,
|
|
1
|
+
{"version":3,"file":"RedisTokenStore.js","sourceRoot":"","sources":["../../src/storage/RedisTokenStore.ts"],"names":[],"mappings":";;;AAGA,MAAa,eAAe;IAG1B,YAAoB,KAAY,EAAS,QAAQ,KAAK;QAAlC,UAAK,GAAL,KAAK,CAAO;QAAS,UAAK,GAAL,KAAK,CAAQ;QAF/C,WAAM,GAAG,SAAS,CAAC;IAE+B,CAAC;IAGlD,GAAG,CAAC,GAAG,KAAc;QAC7B,OAAO,GAAG,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAC3C,CAAC;IAEK,GAAG,CAAC,MAAa,EAAC,GAAU,EAAE,KAAU;QAChD,IAAI,IAAI,CAAC,KAAK,EAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,GAAG,EAAC,EAAC,GAAG,EAAE,KAAK,EAAC,CAAC,CAAA;QAC5C,CAAC;IACF,CAAC;IACA,KAAK,CAAC,iBAAiB,CAAC,KAAY,EAAC,MAAa,EAAC,GAAU;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACxC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAC,MAAM,EAAE,IAAI,EAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;IAE7B,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,MAAa;QACnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAC,MAAM,CAAC,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAC,GAAG,EAAG,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACb,CAAC;IACD,KAAK,CAAC,MAAM,CAAC,GAAW,EAAE,KAAa,EAAE,MAAe;QAEtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAErD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAClD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,MAAa;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAC,MAAM,CAAC,CAAC;QACvC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,GAAG,CAAC,KAAK,EAAC,GAAG,CAAC,CAAC;IAEpB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAc,EAAE,GAAW;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAC1C,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,MAAc;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;QAC/B,OAAO,MAAM,KAAK,CAAC,CAAC;IACtB,CAAC;IAED,gBAAgB;IAChB,KAAK,CAAC,kBAAkB,CAAC,EAAU,EAAE,GAAW;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAEjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACpC,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,eAAe;IACf,KAAK,CAAC,cAAc,CAAC,EAAU;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACtC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/B,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,EAAU;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACtC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,EAAU;QAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;QAC/B,OAAO,MAAM,KAAK,CAAC,CAAC;IACtB,CAAC;IACH,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa,EAAE,MAAe;QACnD,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAEtC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAGC,KAAK,CAAC,GAAG,CAAC,GAAW;QACrB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;CACF;AA1GD,0CA0GC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"con.test.d.ts","sourceRoot":"","sources":["../../src/tests/con.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
const createAuthenik8_1 = require("../createAuthenik8");
|
|
7
|
+
const supertest_1 = __importDefault(require("supertest"));
|
|
8
|
+
const express_1 = __importDefault(require("express"));
|
|
9
|
+
const ioredis_1 = __importDefault(require("ioredis"));
|
|
10
|
+
describe("Refresh Token Concurrency (Integration)", () => {
|
|
11
|
+
let app;
|
|
12
|
+
let auth; // or just `any` but this is better
|
|
13
|
+
let refreshToken;
|
|
14
|
+
let redisClient;
|
|
15
|
+
beforeAll(async () => {
|
|
16
|
+
// Create and verify a connected Redis client (use a separate DB for tests)
|
|
17
|
+
redisClient = new ioredis_1.default({ host: "localhost", port: 6379, db: 1 });
|
|
18
|
+
await redisClient.ping(); // ensure connection is established
|
|
19
|
+
// Pass the connected client as `redis` (not `redisClient`)
|
|
20
|
+
auth = await (0, createAuthenik8_1.createAuthenik8)({
|
|
21
|
+
jwtSecret: "test-secret",
|
|
22
|
+
refreshSecret: "refresh-secret",
|
|
23
|
+
jwtExpiry: "15m",
|
|
24
|
+
redis: redisClient, // ✅ correct property name
|
|
25
|
+
});
|
|
26
|
+
app = (0, express_1.default)();
|
|
27
|
+
app.use(express_1.default.json());
|
|
28
|
+
// Login route – must be async and await the refresh token generation
|
|
29
|
+
app.post("/login", async (req, res) => {
|
|
30
|
+
const token = auth.signToken({ userId: "user_1", email: "test@test.com" });
|
|
31
|
+
refreshToken = await auth.generateRefreshToken({ userId: "user_1", email: "test@test.com" });
|
|
32
|
+
res.json({ token, refreshToken });
|
|
33
|
+
});
|
|
34
|
+
// Refresh route – unchanged but uses the proper error handling
|
|
35
|
+
app.post("/refresh", async (req, res) => {
|
|
36
|
+
try {
|
|
37
|
+
const result = await auth.refreshToken(req.body.refreshToken);
|
|
38
|
+
res.json(result);
|
|
39
|
+
}
|
|
40
|
+
catch (err) {
|
|
41
|
+
console.error("Refresh error", err);
|
|
42
|
+
if (err.name === "InvalidTokenError") {
|
|
43
|
+
return res.status(401).json({ error: err.message });
|
|
44
|
+
}
|
|
45
|
+
return res.status(500).json({ error: err.message });
|
|
46
|
+
}
|
|
47
|
+
});
|
|
48
|
+
});
|
|
49
|
+
afterAll(async () => {
|
|
50
|
+
// Clean up the test database and close the client
|
|
51
|
+
await redisClient.flushdb();
|
|
52
|
+
await redisClient.quit();
|
|
53
|
+
});
|
|
54
|
+
it("should allow only one of two concurrent refresh requests", async () => {
|
|
55
|
+
// Login to obtain a valid refresh token
|
|
56
|
+
await (0, supertest_1.default)(app).post("/login").send({});
|
|
57
|
+
// Fire two concurrent refresh requests
|
|
58
|
+
const [res1, res2] = await Promise.all([
|
|
59
|
+
(0, supertest_1.default)(app).post("/refresh").send({ refreshToken }),
|
|
60
|
+
(0, supertest_1.default)(app).post("/refresh").send({ refreshToken }),
|
|
61
|
+
]);
|
|
62
|
+
// Exactly one should succeed (200) and one should fail with 401
|
|
63
|
+
const statuses = [res1.status, res2.status].sort();
|
|
64
|
+
expect(statuses).toEqual([200, 401]);
|
|
65
|
+
// The successful response must contain new tokens
|
|
66
|
+
const successRes = res1.status === 200 ? res1 : res2;
|
|
67
|
+
expect(successRes.body).toHaveProperty("accessToken");
|
|
68
|
+
expect(successRes.body).toHaveProperty("refreshToken");
|
|
69
|
+
});
|
|
70
|
+
});
|
|
71
|
+
//# sourceMappingURL=con.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"con.test.js","sourceRoot":"","sources":["../../src/tests/con.test.ts"],"names":[],"mappings":";;;;;AAAA,wDAAqD;AACrD,0DAAgC;AAChC,sDAA8B;AAC9B,sDAA4B;AAE5B,QAAQ,CAAC,yCAAyC,EAAE,GAAG,EAAE;IACvD,IAAI,GAAoB,CAAC;IACzB,IAAI,IAAiD,CAAC,CAAC,mCAAmC;IAC1F,IAAI,YAAoB,CAAC;IACzB,IAAI,WAAkB,CAAC;IAEvB,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,2EAA2E;QAC3E,WAAW,GAAG,IAAI,iBAAK,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;QAClE,MAAM,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,mCAAmC;QAE7D,2DAA2D;QAC3D,IAAI,GAAG,MAAM,IAAA,iCAAe,EAAC;YAC3B,SAAS,EAAE,aAAa;YACxB,aAAa,EAAE,gBAAgB;YAC/B,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,WAAW,EAAE,0BAA0B;SAC/C,CAAC,CAAC;QAEH,GAAG,GAAG,IAAA,iBAAO,GAAE,CAAC;QAChB,GAAG,CAAC,GAAG,CAAC,iBAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAExB,qEAAqE;QACrE,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;YAC3E,YAAY,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;YAC7F,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;YACtC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;gBAC9D,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBACnB,OAAO,CAAC,KAAK,CAAC,eAAe,EAAC,GAAG,CAAC,CAAA;gBAElC,IAAG,GAAG,CAAC,IAAI,KAAK,mBAAmB,EAAC,CAAC;oBACrC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAC,GAAG,CAAC,OAAO,EAAC,CAAC,CAAA;gBAChD,CAAC;gBACA,OAAO,GAAG,CAAC,MAAM,CAAE,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACvD,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,kDAAkD;QAClD,MAAM,WAAW,CAAC,OAAO,EAAE,CAAC;QAC5B,MAAM,WAAW,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,wCAAwC;QACxC,MAAM,IAAA,mBAAO,EAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAE3C,uCAAuC;QACvC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrC,IAAA,mBAAO,EAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,CAAC;YACpD,IAAA,mBAAO,EAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,YAAY,EAAE,CAAC;SACrD,CAAC,CAAC;QAEH,gEAAgE;QAChE,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QAErC,kDAAkD;QAClD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QACrD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;QACtD,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"lockHelper.d.ts","sourceRoot":"","sources":["../../src/utility/lockHelper.ts"],"names":[],"mappings":"AAEA,qBAAa,SAAS;IACR,OAAO,CAAC,KAAK;gBAAL,KAAK,EAAE,GAAG;IAExB,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,SAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAgBxD,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAWzD"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.RedisLock = void 0;
|
|
4
|
+
const crypto_1 = require("crypto");
|
|
5
|
+
class RedisLock {
|
|
6
|
+
constructor(redis) {
|
|
7
|
+
this.redis = redis;
|
|
8
|
+
}
|
|
9
|
+
async acquire(key, ttl = 5000) {
|
|
10
|
+
const value = (0, crypto_1.randomUUID)();
|
|
11
|
+
const result = await this.redis.set(key, value, "PX", ttl, "NX");
|
|
12
|
+
if (result !== "OK")
|
|
13
|
+
return null;
|
|
14
|
+
return value;
|
|
15
|
+
}
|
|
16
|
+
async release(key, value) {
|
|
17
|
+
const luaScript = `
|
|
18
|
+
if redis.call("GET", KEYS[1]) == ARGV[1] then
|
|
19
|
+
return redis.call("DEL", KEYS[1])
|
|
20
|
+
else
|
|
21
|
+
return 0
|
|
22
|
+
end
|
|
23
|
+
`;
|
|
24
|
+
await this.redis.eval(luaScript, 1, key, value);
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
exports.RedisLock = RedisLock;
|
|
28
|
+
//# sourceMappingURL=lockHelper.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"lockHelper.js","sourceRoot":"","sources":["../../src/utility/lockHelper.ts"],"names":[],"mappings":";;;AAAA,mCAAoC;AAEpC,MAAa,SAAS;IACpB,YAAoB,KAAU;QAAV,UAAK,GAAL,KAAK,CAAK;IAAG,CAAC;IAElC,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,GAAG,GAAG,IAAI;QACnC,MAAM,KAAK,GAAG,IAAA,mBAAU,GAAE,CAAC;QAE3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CACjC,GAAG,EACH,KAAK,EACL,IAAI,EACJ,GAAG,EACH,IAAI,CACL,CAAC;QAEF,IAAI,MAAM,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAEjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,KAAa;QACtC,MAAM,SAAS,GAAG;;;;;;KAMjB,CAAC;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC;CACF;AA9BD,8BA8BC"}
|
package/dump.rdb
CHANGED
|
Binary file
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "authenik8-core",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.2",
|
|
4
4
|
"description": "A modular Node.js authentication SDK with JWT, secure refresh token rotation, and built-in security middleware.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"authentication",
|
|
@@ -33,7 +33,8 @@
|
|
|
33
33
|
"files": [
|
|
34
34
|
"dist",
|
|
35
35
|
"README.md",
|
|
36
|
-
"LICENSE"
|
|
36
|
+
"LICENSE",
|
|
37
|
+
"CHANGELOG"
|
|
37
38
|
]
|
|
38
39
|
},
|
|
39
40
|
"devDependencies": {
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import jwt from "jsonwebtoken";
|
|
2
2
|
import { SignOptions } from "jsonwebtoken";
|
|
3
3
|
import {randomUUID} from "crypto"
|
|
4
|
-
|
|
4
|
+
import {RedisLock} from "../utility/lockHelper"
|
|
5
5
|
|
|
6
6
|
export class MissingTokenError extends Error{
|
|
7
7
|
constructor(message="Missing Token")
|
|
@@ -30,11 +30,14 @@ export interface TokenStore{
|
|
|
30
30
|
get(key:string):Promise<string| null>;
|
|
31
31
|
set?(key: string, value: string, expiry?:number):Promise<void>;
|
|
32
32
|
del?(key :string):Promise<void>;
|
|
33
|
-
|
|
33
|
+
getset?(key: string, value: string, expiry?: number): Promise<string | null>;
|
|
34
34
|
}
|
|
35
|
+
|
|
36
|
+
|
|
35
37
|
export interface RefreshServiceOptions {
|
|
36
38
|
tokenStore:TokenStore;
|
|
37
39
|
accessTokenSecret:string;
|
|
40
|
+
redisClient:any;
|
|
38
41
|
refreshTokenSecret:string;
|
|
39
42
|
accessTokenExpiry:SignOptions["expiresIn"];
|
|
40
43
|
rotateRefreshTokens?:boolean;
|
|
@@ -54,7 +57,7 @@ private refreshTokenSecret:string;
|
|
|
54
57
|
private accessTokenExpiry:SignOptions["expiresIn"];
|
|
55
58
|
private rotateRefreshTokens:boolean;
|
|
56
59
|
private refreshTokenExpiry:string;
|
|
57
|
-
|
|
60
|
+
private lock:RedisLock;
|
|
58
61
|
|
|
59
62
|
constructor(options:RefreshServiceOptions){
|
|
60
63
|
this.tokenStore = options.tokenStore;
|
|
@@ -63,8 +66,10 @@ this.refreshTokenSecret =options.refreshTokenSecret;
|
|
|
63
66
|
this.accessTokenExpiry= options.accessTokenExpiry ?? "15m";
|
|
64
67
|
this.rotateRefreshTokens = options.rotateRefreshTokens ?? false;
|
|
65
68
|
this.refreshTokenExpiry = options.refreshTokenExpiry ?? "7d"
|
|
69
|
+
this.lock = new RedisLock(options.redisClient)
|
|
66
70
|
}
|
|
67
71
|
|
|
72
|
+
|
|
68
73
|
async generateRefreshToken(payload: TokenPayload): Promise<string> {
|
|
69
74
|
|
|
70
75
|
if (!payload.userId) throw new Error("generateRefreshToken: payload.userId is missing");
|
|
@@ -88,19 +93,30 @@ this.refreshTokenExpiry = options.refreshTokenExpiry ?? "7d"
|
|
|
88
93
|
if(!refreshToken){
|
|
89
94
|
throw new MissingTokenError()
|
|
90
95
|
}
|
|
91
|
-
|
|
92
|
-
let decoded:TokenPayload;
|
|
93
|
-
try
|
|
96
|
+
|
|
97
|
+
let decoded:TokenPayload;
|
|
98
|
+
try{
|
|
99
|
+
|
|
94
100
|
decoded = jwt.verify(refreshToken,this.refreshTokenSecret) as TokenPayload;
|
|
95
101
|
}catch(err){
|
|
96
102
|
throw new InvalidTokenError()
|
|
97
103
|
}
|
|
98
104
|
|
|
99
|
-
const
|
|
105
|
+
const lockKey = `lock:${decoded.userId}`;
|
|
106
|
+
const lockValue = await this.lock.acquire(lockKey, 5000);
|
|
100
107
|
|
|
108
|
+
if (!lockValue) {
|
|
109
|
+
throw new InvalidTokenError("Concurrent refresh detected");
|
|
110
|
+
}
|
|
111
|
+
|
|
112
|
+
//const storedToken= await this.tokenStore.get(`refresh:${decoded.userId}`)
|
|
101
113
|
|
|
114
|
+
try{
|
|
115
|
+
const key = `refresh:${decoded.userId}`;
|
|
116
|
+
const storedToken = await this.tokenStore.get(key);
|
|
102
117
|
|
|
103
|
-
|
|
118
|
+
|
|
119
|
+
if (!storedToken || storedToken !== refreshToken){
|
|
104
120
|
throw new InvalidTokenError();
|
|
105
121
|
}
|
|
106
122
|
|
|
@@ -120,14 +136,21 @@ const key = `refresh:${decoded.userId}`
|
|
|
120
136
|
this.refreshTokenSecret,
|
|
121
137
|
{expiresIn:this.refreshTokenExpiry as jwt.SignOptions["expiresIn"]});
|
|
122
138
|
|
|
123
|
-
|
|
124
|
-
|
|
139
|
+
if (!this.tokenStore.getset) {
|
|
140
|
+
throw new Error("TokenStore must implement getset for atomic refresh rotation");
|
|
141
|
+
}
|
|
142
|
+
const PreviousToken =await this.tokenStore.getset(key,newRefreshToken,60 * 60 * 24 * 7)
|
|
143
|
+
if(PreviousToken !== refreshToken){
|
|
144
|
+
throw new InvalidTokenError("Concurrent refresh detected")}
|
|
125
145
|
}
|
|
126
146
|
|
|
127
147
|
return{
|
|
128
148
|
accessToken:newAccessToken,
|
|
129
149
|
refreshToken:newRefreshToken ?? refreshToken
|
|
130
150
|
};
|
|
131
|
-
}
|
|
151
|
+
}finally {
|
|
152
|
+
if (lockValue) await this.lock.release(lockKey, lockValue);
|
|
153
|
+
}
|
|
132
154
|
}
|
|
133
155
|
|
|
156
|
+
}
|
package/src/createAuthenik8.ts
CHANGED
|
@@ -17,34 +17,45 @@ console.log(`[Redis ${action}]`,{key, value})
|
|
|
17
17
|
}
|
|
18
18
|
}
|
|
19
19
|
async storeRefreshToken(token:string,userId:string,ttl:number){
|
|
20
|
-
const key = this.key("refresh",
|
|
20
|
+
const key = this.key("refresh", userId);
|
|
21
21
|
await this.redis.set(key,userId, "EX",ttl);
|
|
22
22
|
this.log("SET", key, userId)
|
|
23
23
|
|
|
24
24
|
}
|
|
25
25
|
|
|
26
|
-
async getRefreshToken(
|
|
27
|
-
const key = this.key("refresh",
|
|
26
|
+
async getRefreshToken(userId:string){
|
|
27
|
+
const key = this.key("refresh",userId);
|
|
28
28
|
const value = await this.redis.get(key);
|
|
29
29
|
this.log("GET",key , value);
|
|
30
30
|
return value;
|
|
31
31
|
}
|
|
32
|
+
async getset(key: string, value: string, expiry?: number): Promise<string | null> {
|
|
32
33
|
|
|
33
|
-
|
|
34
|
-
|
|
34
|
+
const previous = await this.redis.getset(key, value);
|
|
35
|
+
|
|
36
|
+
if (expiry) {
|
|
37
|
+
await this.redis.expire(key, expiry);
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
this.log("GETSET", key, { previous, new: value });
|
|
41
|
+
return previous;
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
async deleteRefreshToken(userId:string){
|
|
45
|
+
const key = this.key("refresh",userId);
|
|
35
46
|
await this.redis.del(key);
|
|
36
47
|
this.log("DEL",key);
|
|
37
48
|
|
|
38
49
|
}
|
|
39
50
|
|
|
40
|
-
async blacklistToken(
|
|
41
|
-
const key = this.key("blacklist",
|
|
51
|
+
async blacklistToken(userId: string, ttl: number) {
|
|
52
|
+
const key = this.key("blacklist", userId);
|
|
42
53
|
await this.redis.set(key, "1", "EX", ttl);
|
|
43
54
|
this.log("SET", key, "blacklisted");
|
|
44
55
|
}
|
|
45
56
|
|
|
46
|
-
async isBlacklisted(
|
|
47
|
-
const key = this.key("blacklist",
|
|
57
|
+
async isBlacklisted(userId: string) {
|
|
58
|
+
const key = this.key("blacklist", userId);
|
|
48
59
|
const exists = await this.redis.exists(key);
|
|
49
60
|
this.log("CHECK", key, exists);
|
|
50
61
|
return exists === 1;
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
import { createAuthenik8 } from "../createAuthenik8";
|
|
2
|
+
import request from "supertest";
|
|
3
|
+
import express from "express";
|
|
4
|
+
import Redis from "ioredis";
|
|
5
|
+
|
|
6
|
+
describe("Refresh Token Concurrency (Integration)", () => {
|
|
7
|
+
let app: express.Express;
|
|
8
|
+
let auth: Awaited<ReturnType<typeof createAuthenik8>>; // or just `any` but this is better
|
|
9
|
+
let refreshToken: string;
|
|
10
|
+
let redisClient: Redis;
|
|
11
|
+
|
|
12
|
+
beforeAll(async () => {
|
|
13
|
+
// Create and verify a connected Redis client (use a separate DB for tests)
|
|
14
|
+
redisClient = new Redis({ host: "localhost", port: 6379, db: 1 });
|
|
15
|
+
await redisClient.ping(); // ensure connection is established
|
|
16
|
+
|
|
17
|
+
// Pass the connected client as `redis` (not `redisClient`)
|
|
18
|
+
auth = await createAuthenik8({
|
|
19
|
+
jwtSecret: "test-secret",
|
|
20
|
+
refreshSecret: "refresh-secret",
|
|
21
|
+
jwtExpiry: "15m",
|
|
22
|
+
redis: redisClient, // ✅ correct property name
|
|
23
|
+
});
|
|
24
|
+
|
|
25
|
+
app = express();
|
|
26
|
+
app.use(express.json());
|
|
27
|
+
|
|
28
|
+
// Login route – must be async and await the refresh token generation
|
|
29
|
+
app.post("/login", async (req, res) => {
|
|
30
|
+
const token = auth.signToken({ userId: "user_1", email: "test@test.com" });
|
|
31
|
+
refreshToken = await auth.generateRefreshToken({ userId: "user_1", email: "test@test.com" });
|
|
32
|
+
res.json({ token, refreshToken });
|
|
33
|
+
});
|
|
34
|
+
|
|
35
|
+
// Refresh route – unchanged but uses the proper error handling
|
|
36
|
+
app.post("/refresh", async (req, res) => {
|
|
37
|
+
try {
|
|
38
|
+
const result = await auth.refreshToken(req.body.refreshToken);
|
|
39
|
+
res.json(result);
|
|
40
|
+
} catch (err: any) {
|
|
41
|
+
console.error("Refresh error",err)
|
|
42
|
+
|
|
43
|
+
if(err.name === "InvalidTokenError"){
|
|
44
|
+
return res.status(401).json({error:err.message})
|
|
45
|
+
}
|
|
46
|
+
return res.status( 500).json({ error: err.message });
|
|
47
|
+
}
|
|
48
|
+
});
|
|
49
|
+
});
|
|
50
|
+
|
|
51
|
+
afterAll(async () => {
|
|
52
|
+
// Clean up the test database and close the client
|
|
53
|
+
await redisClient.flushdb();
|
|
54
|
+
await redisClient.quit();
|
|
55
|
+
});
|
|
56
|
+
|
|
57
|
+
it("should allow only one of two concurrent refresh requests", async () => {
|
|
58
|
+
// Login to obtain a valid refresh token
|
|
59
|
+
await request(app).post("/login").send({});
|
|
60
|
+
|
|
61
|
+
// Fire two concurrent refresh requests
|
|
62
|
+
const [res1, res2] = await Promise.all([
|
|
63
|
+
request(app).post("/refresh").send({ refreshToken }),
|
|
64
|
+
request(app).post("/refresh").send({ refreshToken }),
|
|
65
|
+
]);
|
|
66
|
+
|
|
67
|
+
// Exactly one should succeed (200) and one should fail with 401
|
|
68
|
+
const statuses = [res1.status, res2.status].sort();
|
|
69
|
+
expect(statuses).toEqual([200, 401]);
|
|
70
|
+
|
|
71
|
+
// The successful response must contain new tokens
|
|
72
|
+
const successRes = res1.status === 200 ? res1 : res2;
|
|
73
|
+
expect(successRes.body).toHaveProperty("accessToken");
|
|
74
|
+
expect(successRes.body).toHaveProperty("refreshToken");
|
|
75
|
+
});
|
|
76
|
+
});
|
|
Binary file
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
import { randomUUID } from "crypto";
|
|
2
|
+
|
|
3
|
+
export class RedisLock {
|
|
4
|
+
constructor(private redis: any) {}
|
|
5
|
+
|
|
6
|
+
async acquire(key: string, ttl = 5000): Promise<string | null> {
|
|
7
|
+
const value = randomUUID();
|
|
8
|
+
|
|
9
|
+
const result = await this.redis.set(
|
|
10
|
+
key,
|
|
11
|
+
value,
|
|
12
|
+
"PX",
|
|
13
|
+
ttl,
|
|
14
|
+
"NX"
|
|
15
|
+
);
|
|
16
|
+
|
|
17
|
+
if (result !== "OK") return null;
|
|
18
|
+
|
|
19
|
+
return value;
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
async release(key: string, value: string): Promise<void> {
|
|
23
|
+
const luaScript = `
|
|
24
|
+
if redis.call("GET", KEYS[1]) == ARGV[1] then
|
|
25
|
+
return redis.call("DEL", KEYS[1])
|
|
26
|
+
else
|
|
27
|
+
return 0
|
|
28
|
+
end
|
|
29
|
+
`;
|
|
30
|
+
|
|
31
|
+
await this.redis.eval(luaScript, 1, key, value);
|
|
32
|
+
}
|
|
33
|
+
}
|
package/.env
DELETED