najm-auth 1.1.19 → 1.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/index.d.ts +4 -2
  2. package/dist/index.js +10 -9
  3. package/package.json +1 -1
package/dist/index.d.ts CHANGED
@@ -683,8 +683,10 @@ declare class TokenService {
683
683
  validateRefreshSession(refreshToken: string): Promise<string>;
684
684
  /**
685
685
  * Read the refresh cookie and return the userId it belongs to.
686
- * Validates against DB to ensure the session is still active.
687
- * Throws if the cookie is missing, invalid, or revoked.
686
+ * Lightweight check: verifies JWT signature and ensures the user
687
+ * has an active session in the DB. Does NOT compare token hashes,
688
+ * so it is safe to call concurrently with token rotation.
689
+ * Throws if the cookie is missing, invalid, or the session was revoked.
688
690
  */
689
691
  resolveUserFromCookie(): Promise<string>;
690
692
  getUser(auth: string): Promise<any>;
package/dist/index.js CHANGED
@@ -1408,24 +1408,28 @@ var TokenService = class TokenService2 {
1408
1408
  }
1409
1409
  const isValid = this.hashToken(refreshToken) === stored.token;
1410
1410
  if (!isValid) {
1411
- if (stored.tokenFamily) {
1412
- await this.tokenRepository.revokeByFamily(stored.tokenFamily);
1413
- }
1414
1411
  Err5(this.t("errors.refreshTokenInvalid"));
1415
1412
  }
1416
1413
  return userId;
1417
1414
  }
1418
1415
  /**
1419
1416
  * Read the refresh cookie and return the userId it belongs to.
1420
- * Validates against DB to ensure the session is still active.
1421
- * Throws if the cookie is missing, invalid, or revoked.
1417
+ * Lightweight check: verifies JWT signature and ensures the user
1418
+ * has an active session in the DB. Does NOT compare token hashes,
1419
+ * so it is safe to call concurrently with token rotation.
1420
+ * Throws if the cookie is missing, invalid, or the session was revoked.
1422
1421
  */
1423
1422
  async resolveUserFromCookie() {
1424
1423
  const refreshToken = this.cookieManager.getRefreshToken();
1425
1424
  if (!refreshToken) {
1426
1425
  Err5(this.t("errors.refreshTokenMissing"));
1427
1426
  }
1428
- return this.validateRefreshSession(refreshToken);
1427
+ const userId = this.verifyRefreshToken(refreshToken);
1428
+ const stored = await this.tokenRepository.getRefreshTokenWithFamily(userId);
1429
+ if (!stored) {
1430
+ Err5(this.t("errors.refreshTokenInvalid"));
1431
+ }
1432
+ return userId;
1429
1433
  }
1430
1434
  // ============ USER RETRIEVAL (MAIN METHOD) ============
1431
1435
  async getUser(auth2) {
@@ -1552,9 +1556,6 @@ var TokenService = class TokenService2 {
1552
1556
  }
1553
1557
  const isValid = this.hashToken(refreshToken) === stored.token;
1554
1558
  if (!isValid) {
1555
- if (stored.tokenFamily) {
1556
- await this.tokenRepository.revokeByFamily(stored.tokenFamily);
1557
- }
1558
1559
  Err5(this.t("errors.refreshTokenInvalid"));
1559
1560
  }
1560
1561
  return this.generateTokens(userId, stored.tokenFamily ?? void 0);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "najm-auth",
3
- "version": "1.1.19",
3
+ "version": "1.1.20",
4
4
  "description": "Authentication and authorization library for najm framework",
5
5
  "type": "module",
6
6
  "files": [