Merge pull request #50 from donnfelker/bugfix/check-refresh-token-for…

…-expiration Validate Refresh Token Expiration
danielfsousa · Jun 21, 2018 · 774ebfb · 774ebfb
2 parents 38e10f7 + 7c56d5a
commit 774ebfb
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 4 deletions.
diff --git a/src/api/models/user.model.js b/src/api/models/user.model.js
@@ -52,8 +52,8 @@ const userSchema = new mongoose.Schema({
     trim: true,
   },
 }, {
-  timestamps: true,
-});
+    timestamps: true,
+  });
 
 /**
  * Add your
@@ -159,7 +159,11 @@ userSchema.statics = {
       }
       err.message = 'Incorrect email or password';
     } else if (refreshObject && refreshObject.userEmail === email) {
-      return { user, accessToken: user.token() };
+      if (moment(refreshObject.expires).isBefore()) {
+        err.message = 'Invalid refresh token.';
+      } else {
+        return { user, accessToken: user.token() };
+      }
     } else {
       err.message = 'Incorrect email or refreshToken';
     }

diff --git a/src/api/tests/integration/auth.test.js b/src/api/tests/integration/auth.test.js
@@ -3,6 +3,7 @@ const request = require('supertest');
 const httpStatus = require('http-status');
 const { expect } = require('chai');
 const sinon = require('sinon');
+const moment = require('moment-timezone');
 const app = require('../../../index');
 const User = require('../../models/user.model');
 const RefreshToken = require('../../models/refreshToken.model');
@@ -41,7 +42,14 @@ describe('Authentication API', () => {
       token: '5947397b323ae82d8c3a333b.c69d0435e62c9f4953af912442a3d064e20291f0d228c0552ed4be473e7d191ba40b18c2c47e8b9d',
       userId: '5947397b323ae82d8c3a333b',
       userEmail: dbUser.email,
-      expires: new Date(),
+      expires: moment().add(1, 'day').toDate(),
+    };
+
+    expiredRefreshToken = {
+      token: '5947397b323ae82d8c3a333b.c69d0435e62c9f4953af912442a3d064e20291f0d228c0552ed4be473e7d191ba40b18c2c47e8b9d',
+      userId: '5947397b323ae82d8c3a333b',
+      userEmail: dbUser.email,
+      expires: moment().subtract(1, 'day').toDate(),
     };
 
     await User.remove({});
@@ -314,5 +322,19 @@ describe('Authentication API', () => {
           expect(messages2).to.include('"refreshToken" is required');
         });
     });
+
+    it('should report error when the refreshToken is expired', async () => {
+      await RefreshToken.create(expiredRefreshToken);
+
+      return request(app)
+        .post('/v1/auth/refresh-token')
+        .send({ email: dbUser.email, refreshToken: expiredRefreshToken.token })
+        .expect(httpStatus.UNAUTHORIZED)
+        .then((res) => {
+          expect(res.body.code).to.be.equal(401);
+          expect(res.body.message).to.be.equal('Invalid refresh token.');
+        });
+    });
+
   });
 });