npm - wabe - Versions diffs - 0.6.9 → 0.6.11 - Mend

wabe 0.6.9 → 0.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (162) hide show

package/README.md +156 -50
package/bucket/b.txt +1 -0
package/dev/index.ts +215 -0
package/dist/authentication/Session.d.ts +4 -1
package/dist/authentication/interface.d.ts +16 -0
package/dist/cron/index.d.ts +0 -1
package/dist/database/DatabaseController.d.ts +41 -13
package/dist/database/interface.d.ts +1 -0
package/dist/email/DevAdapter.d.ts +0 -1
package/dist/email/interface.d.ts +1 -1
package/dist/graphql/resolvers.d.ts +4 -2
package/dist/hooks/index.d.ts +8 -2
package/dist/index.d.ts +0 -1
package/dist/index.js +32144 -32058
package/dist/schema/Schema.d.ts +2 -1
package/dist/server/index.d.ts +4 -2
package/dist/utils/crypto.d.ts +7 -0
package/dist/utils/helper.d.ts +5 -1
package/generated/schema.graphql +22 -14
package/generated/wabe.ts +4 -4
package/package.json +23 -23
package/src/authentication/OTP.test.ts +69 -0
package/src/authentication/OTP.ts +64 -0
package/src/authentication/Session.test.ts +629 -0
package/src/authentication/Session.ts +493 -0
package/src/authentication/defaultAuthentication.ts +209 -0
package/src/authentication/index.ts +3 -0
package/src/authentication/interface.ts +155 -0
package/src/authentication/oauth/GitHub.test.ts +91 -0
package/src/authentication/oauth/GitHub.ts +121 -0
package/src/authentication/oauth/Google.test.ts +91 -0
package/src/authentication/oauth/Google.ts +101 -0
package/src/authentication/oauth/Oauth2Client.test.ts +219 -0
package/src/authentication/oauth/Oauth2Client.ts +135 -0
package/src/authentication/oauth/index.ts +2 -0
package/src/authentication/oauth/utils.test.ts +33 -0
package/src/authentication/oauth/utils.ts +27 -0
package/src/authentication/providers/EmailOTP.test.ts +127 -0
package/src/authentication/providers/EmailOTP.ts +84 -0
package/src/authentication/providers/EmailPassword.test.ts +176 -0
package/src/authentication/providers/EmailPassword.ts +116 -0
package/src/authentication/providers/EmailPasswordSRP.test.ts +208 -0
package/src/authentication/providers/EmailPasswordSRP.ts +179 -0
package/src/authentication/providers/GitHub.ts +24 -0
package/src/authentication/providers/Google.ts +24 -0
package/src/authentication/providers/OAuth.test.ts +185 -0
package/src/authentication/providers/OAuth.ts +106 -0
package/src/authentication/providers/PhonePassword.test.ts +176 -0
package/src/authentication/providers/PhonePassword.ts +115 -0
package/src/authentication/providers/QRCodeOTP.test.ts +77 -0
package/src/authentication/providers/QRCodeOTP.ts +58 -0
package/src/authentication/providers/index.ts +6 -0
package/src/authentication/resolvers/refreshResolver.test.ts +30 -0
package/src/authentication/resolvers/refreshResolver.ts +19 -0
package/src/authentication/resolvers/signInWithResolver.inte.test.ts +59 -0
package/src/authentication/resolvers/signInWithResolver.test.ts +293 -0
package/src/authentication/resolvers/signInWithResolver.ts +92 -0
package/src/authentication/resolvers/signOutResolver.test.ts +38 -0
package/src/authentication/resolvers/signOutResolver.ts +18 -0
package/src/authentication/resolvers/signUpWithResolver.test.ts +180 -0
package/src/authentication/resolvers/signUpWithResolver.ts +65 -0
package/src/authentication/resolvers/verifyChallenge.test.ts +133 -0
package/src/authentication/resolvers/verifyChallenge.ts +62 -0
package/src/authentication/roles.test.ts +49 -0
package/src/authentication/roles.ts +40 -0
package/src/authentication/utils.test.ts +97 -0
package/src/authentication/utils.ts +39 -0
package/src/cache/InMemoryCache.test.ts +62 -0
package/src/cache/InMemoryCache.ts +45 -0
package/src/cron/index.test.ts +17 -0
package/src/cron/index.ts +43 -0
package/src/database/DatabaseController.test.ts +613 -0
package/src/database/DatabaseController.ts +1007 -0
package/src/database/index.test.ts +1372 -0
package/src/database/index.ts +9 -0
package/src/database/interface.ts +302 -0
package/src/email/DevAdapter.ts +7 -0
package/src/email/EmailController.test.ts +29 -0
package/src/email/EmailController.ts +13 -0
package/src/email/index.ts +2 -0
package/src/email/interface.ts +36 -0
package/src/email/templates/sendOtpCode.ts +120 -0
package/src/file/FileController.ts +28 -0
package/src/file/FileDevAdapter.ts +51 -0
package/src/file/hookDeleteFile.ts +25 -0
package/src/file/hookReadFile.ts +66 -0
package/src/file/hookUploadFile.ts +50 -0
package/src/file/index.test.ts +932 -0
package/src/file/index.ts +2 -0
package/src/file/interface.ts +39 -0
package/src/graphql/GraphQLSchema.test.ts +4408 -0
package/src/graphql/GraphQLSchema.ts +880 -0
package/src/graphql/index.ts +2 -0
package/src/graphql/parseGraphqlSchema.ts +85 -0
package/src/graphql/parser.test.ts +203 -0
package/src/graphql/parser.ts +542 -0
package/src/graphql/pointerAndRelationFunction.ts +191 -0
package/src/graphql/resolvers.ts +442 -0
package/src/graphql/tests/aggregation.test.ts +1115 -0
package/src/graphql/tests/e2e.test.ts +590 -0
package/src/graphql/tests/scalars.test.ts +250 -0
package/src/graphql/types.ts +227 -0
package/src/hooks/HookObject.test.ts +122 -0
package/src/hooks/HookObject.ts +165 -0
package/src/hooks/authentication.ts +67 -0
package/src/hooks/createUser.test.ts +77 -0
package/src/hooks/createUser.ts +10 -0
package/src/hooks/defaultFields.test.ts +176 -0
package/src/hooks/defaultFields.ts +32 -0
package/src/hooks/deleteSession.test.ts +181 -0
package/src/hooks/deleteSession.ts +20 -0
package/src/hooks/hashFieldHook.test.ts +152 -0
package/src/hooks/hashFieldHook.ts +89 -0
package/src/hooks/index.test.ts +258 -0
package/src/hooks/index.ts +414 -0
package/src/hooks/permissions.test.ts +412 -0
package/src/hooks/permissions.ts +93 -0
package/src/hooks/protected.test.ts +551 -0
package/src/hooks/protected.ts +60 -0
package/src/hooks/searchableFields.test.ts +147 -0
package/src/hooks/searchableFields.ts +86 -0
package/src/hooks/session.test.ts +134 -0
package/src/hooks/session.ts +76 -0
package/src/hooks/setEmail.test.ts +216 -0
package/src/hooks/setEmail.ts +33 -0
package/src/hooks/setupAcl.test.ts +618 -0
package/src/hooks/setupAcl.ts +25 -0
package/src/index.ts +9 -0
package/src/schema/Schema.test.ts +482 -0
package/src/schema/Schema.ts +757 -0
package/src/schema/defaultResolvers.ts +93 -0
package/src/schema/index.ts +1 -0
package/src/schema/resolvers/meResolver.test.ts +62 -0
package/src/schema/resolvers/meResolver.ts +10 -0
package/src/schema/resolvers/resetPassword.test.ts +341 -0
package/src/schema/resolvers/resetPassword.ts +63 -0
package/src/schema/resolvers/sendEmail.test.ts +118 -0
package/src/schema/resolvers/sendEmail.ts +21 -0
package/src/schema/resolvers/sendOtpCode.test.ts +141 -0
package/src/schema/resolvers/sendOtpCode.ts +52 -0
package/src/security.test.ts +3434 -0
package/src/server/defaultSessionHandler.test.ts +62 -0
package/src/server/defaultSessionHandler.ts +105 -0
package/src/server/generateCodegen.ts +433 -0
package/src/server/index.test.ts +532 -0
package/src/server/index.ts +334 -0
package/src/server/interface.ts +11 -0
package/src/server/routes/authHandler.ts +169 -0
package/src/server/routes/index.ts +39 -0
package/src/utils/crypto.test.ts +41 -0
package/src/utils/crypto.ts +105 -0
package/src/utils/export.ts +11 -0
package/src/utils/helper.ts +204 -0
package/src/utils/index.test.ts +11 -0
package/src/utils/index.ts +189 -0
package/src/utils/preload.ts +8 -0
package/src/utils/testHelper.ts +116 -0
package/tsconfig.json +32 -0
package/bunfig.toml +0 -4
package/dist/ai/index.d.ts +0 -1
package/dist/ai/interface.d.ts +0 -9
/package/dist/server/{defaultHandlers.d.ts → defaultSessionHandler.d.ts} +0 -0

package/src/authentication/Session.test.ts ADDED Viewed

@@ -0,0 +1,629 @@
+import { describe, expect, it, mock, beforeEach } from 'bun:test'
+import { fail } from 'node:assert'
+import crypto from 'node:crypto'
+import jwt, { type JwtPayload } from 'jsonwebtoken'
+import { Session } from './Session'
+const encryptToken = (token: string, secret: string) => {
+	const key = crypto.createHash('sha256').update(secret).digest()
+	const iv = crypto.createHmac('sha256', key).update(token).digest().subarray(0, 12)
+	const cipher = crypto.createCipheriv('aes-256-gcm', key, iv)
+	const encrypted = Buffer.concat([cipher.update(token, 'utf8'), cipher.final()])
+	const tag = cipher.getAuthTag()
+	return `${iv.toString('hex')}:${tag.toString('hex')}:${encrypted.toString('hex')}`
+}
+describe('Session', () => {
+	const mockGetObject = mock(() => Promise.resolve({}) as any)
+	const mockGetObjects = mock(() => Promise.resolve([]) as any)
+	const mockCreateObject = mock(() => Promise.resolve({ id: 'userId' })) as any
+	const mockDeleteObject = mock(() => Promise.resolve()) as any
+	const mockUpdateObject = mock(() => Promise.resolve()) as any
+	const controllers = {
+		database: {
+			getObject: mockGetObject,
+			getObjects: mockGetObjects,
+			createObject: mockCreateObject,
+			deleteObject: mockDeleteObject,
+			updateObject: mockUpdateObject,
+		},
+	}
+	beforeEach(() => {
+		mockGetObject.mockClear()
+		mockGetObjects.mockClear()
+		mockCreateObject.mockClear()
+		mockDeleteObject.mockClear()
+		mockUpdateObject.mockClear()
+	})
+	const context = {
+		isRoot: true,
+		wabe: {
+			controllers,
+			config: { authentication: { session: { jwtSecret: 'dev' } } },
+		},
+	} as any
+	it('should set all data set in the jwtTokenFields on create session', async () => {
+		mockGetObject.mockResolvedValueOnce({
+			id: 'userId',
+			email: 'user@email.com',
+		})
+		const session = new Session()
+		const jwtTokenFields = {
+			id: true,
+			email: true,
+		}
+		const { accessToken, refreshToken } = await session.create('userId', {
+			isRoot: true,
+			wabe: {
+				controllers,
+				config: {
+					authentication: {
+						session: {
+							jwtSecret: 'dev',
+							jwtTokenFields,
+						},
+					},
+				},
+			},
+		} as any)
+		const decodedAccessToken = jwt.decode(accessToken) as JwtPayload
+		const decodedRefreshToken = jwt.decode(refreshToken) as JwtPayload
+		expect(decodedAccessToken.user).toEqual({
+			id: 'userId',
+			email: 'user@email.com',
+		})
+		expect(decodedRefreshToken.user).toEqual({
+			id: 'userId',
+			email: 'user@email.com',
+		})
+		expect(mockCreateObject).toHaveBeenCalledWith({
+			className: '_Session',
+			context: expect.any(Object),
+			data: {
+				accessTokenEncrypted: expect.any(String),
+				accessTokenExpiresAt: expect.any(Date),
+				refreshTokenEncrypted: expect.any(String),
+				refreshTokenExpiresAt: expect.any(Date),
+				user: 'userId',
+			},
+			select: { id: true },
+		})
+	})
+	it('should set all data set in the jwtTokenFields on refresh session', async () => {
+		const session = new Session()
+		const { accessToken: oldAccessToken, refreshToken: oldRefreshToken } = await session.create(
+			'userId',
+			context,
+		)
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'sessionId',
+				refreshTokenEncrypted: encryptToken(oldRefreshToken, 'dev'),
+				refreshTokenExpiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24),
+				user: {
+					id: 'userId',
+					email: 'userEmail',
+				},
+			},
+		])
+		mockGetObject.mockResolvedValue({
+			id: 'userId',
+			email: 'user@email.com',
+		})
+		const jwtTokenFields = {
+			id: true,
+			email: true,
+		}
+		const { accessToken, refreshToken } = await session.refresh(oldAccessToken, oldRefreshToken, {
+			isRoot: true,
+			wabe: {
+				controllers,
+				config: {
+					authentication: {
+						session: {
+							jwtSecret: 'dev',
+							jwtTokenFields,
+						},
+					},
+				},
+			},
+		} as any)
+		if (!accessToken || !refreshToken) fail()
+		const decodedAccessToken = jwt.decode(accessToken) as JwtPayload
+		const decodedRefreshToken = jwt.decode(refreshToken) as JwtPayload
+		expect(decodedAccessToken.user).toEqual({
+			id: 'userId',
+			email: 'user@email.com',
+		})
+		expect(decodedRefreshToken.user).toEqual({
+			id: 'userId',
+			email: 'user@email.com',
+		})
+	})
+	it('should not set user fields if not jwtTokenFields is set on create session', async () => {
+		mockGetObject.mockResolvedValueOnce({
+			id: 'userId',
+			email: 'user@email.com',
+		})
+		const session = new Session()
+		const { accessToken, refreshToken } = await session.create('userId', context)
+		const decodedAccessToken = jwt.decode(accessToken) as JwtPayload
+		const decodedRefreshToken = jwt.decode(refreshToken) as JwtPayload
+		expect(decodedAccessToken.user).toBeUndefined()
+		expect(decodedRefreshToken.user).toBeUndefined()
+	})
+	it('should not set user fields if not jwtTokenFields is set on refresh session', async () => {
+		const session = new Session()
+		const { accessToken: oldAccessToken, refreshToken: oldRefreshToken } = await session.create(
+			'userId',
+			context,
+		)
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'sessionId',
+				refreshTokenEncrypted: encryptToken(oldRefreshToken, 'dev'),
+				refreshTokenExpiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24),
+				user: {
+					id: 'userId',
+					email: 'userEmail',
+				},
+			},
+		])
+		mockGetObject.mockResolvedValue({
+			id: 'userId',
+			email: 'user@email.com',
+		})
+		const { accessToken, refreshToken } = await session.refresh(
+			oldAccessToken,
+			oldRefreshToken,
+			context,
+		)
+		if (!accessToken || !refreshToken) fail()
+		const decodedAccessToken = jwt.decode(accessToken) as JwtPayload
+		const decodedRefreshToken = jwt.decode(refreshToken) as JwtPayload
+		expect(decodedAccessToken.user).toBeUndefined()
+		expect(decodedRefreshToken.user).toBeUndefined()
+	})
+	it('should returns null if no user found', async () => {
+		mockGetObjects.mockResolvedValue([])
+		const session = new Session()
+		const { accessToken } = await session.create('userId', context)
+		const res = await session.meFromAccessToken({ accessToken, csrfToken: '' }, context)
+		expect(res.user).toBeNull()
+		expect(res.sessionId).toBeNull()
+		expect(mockGetObjects).toHaveBeenCalledTimes(1)
+		expect(mockGetObjects).toHaveBeenCalledWith({
+			className: '_Session',
+			where: {
+				accessTokenEncrypted: { equalTo: encryptToken(accessToken, 'dev') },
+				OR: [
+					{
+						accessTokenExpiresAt: {
+							greaterThanOrEqualTo: expect.any(Date),
+						},
+					},
+					{
+						refreshTokenExpiresAt: {
+							greaterThanOrEqualTo: expect.any(Date),
+						},
+					},
+				],
+			},
+			first: 1,
+			select: {
+				id: true,
+				user: true,
+				accessTokenExpiresAt: true,
+				refreshTokenExpiresAt: true,
+				refreshTokenEncrypted: true,
+			},
+			context: expect.any(Object),
+		})
+	})
+	it('should return the user associated with an access token', async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'sessionId',
+				refreshTokenEncrypted: encryptToken('refreshToken', 'dev'),
+				user: {
+					id: 'userId',
+					email: 'userEmail',
+				},
+				refreshTokenExpiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24 * 30),
+			},
+		])
+		const session = new Session()
+		const { accessToken } = await session.create('userId', context)
+		const { sessionId, user } = await session.meFromAccessToken(
+			{ accessToken, csrfToken: '' },
+			{
+				...context,
+				wabe: {
+					...context.wabe,
+					config: {
+						...context.wabe.config,
+						security: { disableCSRFProtection: true },
+					},
+				},
+			},
+		)
+		expect(mockGetObjects).toHaveBeenCalledTimes(1)
+		expect(mockGetObjects).toHaveBeenCalledWith({
+			className: '_Session',
+			where: {
+				accessTokenEncrypted: { equalTo: encryptToken(accessToken, 'dev') },
+				OR: [
+					{
+						accessTokenExpiresAt: {
+							greaterThanOrEqualTo: expect.any(Date),
+						},
+					},
+					{
+						refreshTokenExpiresAt: {
+							greaterThanOrEqualTo: expect.any(Date),
+						},
+					},
+				],
+			},
+			first: 1,
+			select: {
+				id: true,
+				user: true,
+				accessTokenExpiresAt: true,
+				refreshTokenExpiresAt: true,
+				refreshTokenEncrypted: true,
+			},
+			context: expect.any(Object),
+		})
+		expect(sessionId).toEqual('sessionId')
+		expect(user?.id).toEqual('userId')
+		expect(user?.email).toEqual('userEmail')
+	})
+	it('should create a new session', async () => {
+		const session = new Session()
+		const fifteenMinutes = new Date(Date.now() + 1000 * 60 * 15)
+		const sevenDays = new Date(Date.now() + 1000 * 60 * 60 * 24 * 7)
+		const { accessToken, refreshToken } = await session.create('userId', context)
+		expect(accessToken).not.toBeUndefined()
+		expect(refreshToken).not.toBeUndefined()
+		if (!accessToken || !refreshToken) fail()
+		const decodedAccessToken = jwt.decode(accessToken) as JwtPayload
+		const decodedRefreshToken = jwt.decode(refreshToken) as JwtPayload
+		expect(decodedAccessToken).not.toBeNull()
+		expect(decodedAccessToken.userId).toEqual('userId')
+		expect(decodedAccessToken.exp).toBeGreaterThanOrEqual(
+			Math.floor(fifteenMinutes.getTime() / 1000),
+		)
+		expect(decodedAccessToken.iat).toBeGreaterThanOrEqual(Math.floor((Date.now() - 500) / 1000)) // minus 500ms to avoid flaky
+		expect(decodedRefreshToken).not.toBeNull()
+		expect(decodedRefreshToken.userId).toEqual('userId')
+		expect(decodedRefreshToken.exp).toBeGreaterThanOrEqual(Math.floor(sevenDays.getTime() / 1000))
+		expect(decodedRefreshToken.iat).toBeGreaterThanOrEqual(Math.floor((Date.now() - 500) / 1000)) // minus 500ms to avoid flaky
+		expect(mockCreateObject).toHaveBeenCalledTimes(1)
+		expect(mockCreateObject).toHaveBeenCalledWith({
+			className: '_Session',
+			context: expect.any(Object),
+			data: {
+				accessTokenEncrypted: expect.any(String),
+				accessTokenExpiresAt: expect.any(Date),
+				refreshTokenEncrypted: expect.any(String),
+				refreshTokenExpiresAt: expect.any(Date),
+				user: 'userId',
+			},
+			select: { id: true },
+		})
+	})
+	it('should delete a session', async () => {
+		const session = new Session()
+		await session.delete({
+			sessionId: 'sessionId',
+			wabe: {
+				controllers,
+			},
+		} as any)
+		expect(mockDeleteObject).toHaveBeenCalledTimes(1)
+		expect(mockDeleteObject).toHaveBeenCalledWith({
+			className: '_Session',
+			context: {
+				sessionId: 'sessionId',
+				wabe: { controllers },
+				isRoot: true,
+			},
+			id: 'sessionId',
+			select: {},
+		})
+	})
+	it('should refresh a session', async () => {
+		const session = new Session()
+		const { accessToken: oldAccessToken, refreshToken: oldRefreshToken } = await session.create(
+			'userId',
+			context,
+		)
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'sessionId',
+				refreshTokenEncrypted: encryptToken(oldRefreshToken, 'dev'),
+				refreshTokenExpiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24),
+				user: {
+					id: 'userId',
+					email: 'userEmail',
+				},
+			},
+		])
+		const { accessToken, refreshToken } = await session.refresh(
+			oldAccessToken,
+			oldRefreshToken,
+			context,
+		)
+		expect(accessToken).not.toBeUndefined()
+		expect(refreshToken).not.toBeUndefined()
+		expect(mockGetObjects).toHaveBeenCalledTimes(1)
+		expect(mockGetObjects).toHaveBeenCalledWith({
+			className: '_Session',
+			where: {
+				accessTokenEncrypted: { equalTo: encryptToken(oldAccessToken, 'dev') },
+				refreshTokenEncrypted: {
+					equalTo: encryptToken(oldRefreshToken, 'dev'),
+				},
+			},
+			select: {
+				id: true,
+				user: {
+					id: true,
+					role: {
+						id: true,
+						name: true,
+					},
+				},
+				refreshTokenEncrypted: true,
+				refreshTokenExpiresAt: true,
+			},
+			context: expect.any(Object),
+		})
+		expect(mockUpdateObject).toHaveBeenCalledTimes(1)
+		expect(mockUpdateObject).toHaveBeenCalledWith({
+			className: '_Session',
+			context: expect.any(Object),
+			id: 'sessionId',
+			data: {
+				accessTokenEncrypted: expect.any(String),
+				accessTokenExpiresAt: expect.any(Date),
+				refreshTokenEncrypted: expect.any(String),
+				refreshTokenExpiresAt: expect.any(Date),
+			},
+			select: {},
+		})
+		const accessTokenExpiresAt = mockUpdateObject.mock.calls[0][0].data.accessTokenExpiresAt as Date
+		const refreshTokenExpiresAt = mockUpdateObject.mock.calls[0][0].data
+			.refreshTokenExpiresAt as Date
+		// -1000 to avoid flaky
+		expect(accessTokenExpiresAt.getTime()).toBeGreaterThan(Date.now() + 1000 * 60 * 15 - 1000)
+		// -1000 to avoid flaky
+		expect(refreshTokenExpiresAt.getTime()).toBeGreaterThan(
+			Date.now() + 1000 * 60 * 60 * 24 * 7 - 1000,
+		)
+	})
+	it('should return null if access token is invalid (malformed)', async () => {
+		const session = new Session()
+		const res = await session.meFromAccessToken(
+			{ accessToken: 'not-a-jwt', csrfToken: '' },
+			context,
+		)
+		expect(res.accessToken).toBeNull()
+		expect(res.user).toBeNull()
+		expect(res.sessionId).toBeNull()
+	})
+	it('should enforce CSRF by default when cookies are used', async () => {
+		const session = new Session()
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'sessionId',
+				refreshTokenEncrypted: encryptToken('refreshToken', 'dev'),
+				refreshTokenExpiresAt: new Date(Date.now() + 1000 * 60 * 60),
+				accessTokenExpiresAt: new Date(Date.now() + 1000 * 60 * 15),
+				user: {
+					id: 'userId',
+				},
+			},
+		])
+		const res = await session.meFromAccessToken({ accessToken: 'valid.jwt.token', csrfToken: '' }, {
+			isRoot: true,
+			wabe: {
+				controllers,
+				config: {
+					authentication: {
+						session: { jwtSecret: 'dev' },
+					},
+					security: {
+						// disableCSRFProtection undefined => protection ON
+					},
+				},
+			},
+		} as any)
+		expect(res.accessToken).toBeNull()
+		expect(res.user).toBeNull()
+		expect(res.sessionId).toBeNull()
+	})
+	it('should not refresh session if the access token does not already take 75% of time', () => {
+		const session = new Session()
+		// 1 hour
+		const refreshTokenAgeInMs = 1000 * 60 * 60
+		// Expires in 1 hour
+		const date1 = new Date(Date.now() + 1000 * 60 * 60)
+		// Expires in 20 minutes
+		const date2 = new Date(Date.now() + 1000 * 60 * 15)
+		// Expired since 20 minutes
+		const date3 = new Date(Date.now() - 1000 * 60 * 20)
+		expect(session._isRefreshTokenExpired(date1, refreshTokenAgeInMs)).toBe(false)
+		expect(session._isRefreshTokenExpired(date2, refreshTokenAgeInMs)).toBe(true)
+		expect(session._isRefreshTokenExpired(date3, refreshTokenAgeInMs)).toBe(true)
+	})
+	it('should return null on refresh session if session not found', async () => {
+		mockGetObjects.mockResolvedValue([])
+		const session = new Session()
+		const { accessToken: oldAccessToken, refreshToken: oldRefreshToken } = await session.create(
+			'userId',
+			context,
+		)
+		const { accessToken, refreshToken } = await session.refresh(
+			oldAccessToken,
+			oldRefreshToken,
+			context,
+		)
+		expect(accessToken).toBeNull()
+		expect(refreshToken).toBeNull()
+		expect(mockGetObjects).toHaveBeenCalledTimes(1)
+		expect(mockGetObjects).toHaveBeenCalledWith({
+			className: '_Session',
+			where: {
+				accessTokenEncrypted: { equalTo: encryptToken(oldAccessToken, 'dev') },
+				refreshTokenEncrypted: {
+					equalTo: encryptToken(oldRefreshToken, 'dev'),
+				},
+			},
+			select: {
+				id: true,
+				user: {
+					id: true,
+					role: {
+						id: true,
+						name: true,
+					},
+				},
+				refreshTokenEncrypted: true,
+				refreshTokenExpiresAt: true,
+			},
+			context: expect.any(Object),
+		})
+	})
+	it("should throw an error on refresh session if session's refresh token is expired", async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'sessionId',
+				refreshTokenEncrypted: encryptToken('refreshToken', 'dev'),
+				refreshTokenExpiresAt: new Date(Date.now() - 1000),
+				user: {
+					id: 'userId',
+					email: 'userEmail',
+				},
+			},
+		])
+		const session = new Session()
+		const { refreshToken, accessToken } = await session.create('userId', context)
+		expect(session.refresh(accessToken, refreshToken, context)).rejects.toThrow(
+			'Refresh token expired',
+		)
+	})
+	it("should throw an error on refresh session if session's refresh token is not the same as the one in the database", async () => {
+		mockGetObjects.mockResolvedValue([
+			{
+				id: 'sessionId',
+				refreshTokenEncrypted: encryptToken('otherRefreshToken', 'dev'),
+				refreshTokenExpiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24),
+				user: {
+					id: 'userId',
+					email: 'userEmail',
+				},
+			},
+		])
+		const session = new Session()
+		const { refreshToken, accessToken } = await session.create('userId', context)
+		expect(session.refresh(accessToken, refreshToken, context)).rejects.toThrow(
+			'Invalid refresh token',
+		)
+	})
+})