Merge pull request #247 from kinde-oss/fix/refresh-token

Fix/refresh token
kinde-oss · Nov 26, 2024 · 9c99f2f · 9c99f2f
2 parents 98285b9 + bb17e9a
commit 9c99f2f
Show file tree

Hide file tree

Showing 15 changed files with 198 additions and 128 deletions.
diff --git a/src/authMiddleware/authMiddleware.ts b/src/authMiddleware/authMiddleware.ts
@@ -2,7 +2,7 @@ import {NextResponse} from 'next/server';
 import {config} from '../config/index';
 import {type KindeAccessToken, KindeIdToken} from '../../types';
 import {jwtDecoder} from '@kinde/jwt-decoder';
-import { validateToken } from '../utils/validateToken';
+import {validateToken} from '../utils/validateToken';
 
 const handleMiddleware = async (req, options, onSuccess) => {
   const {pathname} = req.nextUrl;
@@ -62,9 +62,8 @@ const handleMiddleware = async (req, options, onSuccess) => {
     });
   }
 
-
   if (isTokenValid && customValidationValid) {
-    return NextResponse.next();;
+    return NextResponse.next();
   }
 
   return NextResponse.redirect(

diff --git a/src/handlers/setup.ts b/src/handlers/setup.ts
@@ -2,7 +2,8 @@ import {jwtDecoder} from '@kinde/jwt-decoder';
 import {KindeAccessToken, KindeIdToken} from '../../types';
 import {config} from '../config/index';
 import {generateUserObject} from '../utils/generateUserObject';
-import { validateToken } from '../utils/validateToken';
+import {validateToken} from '@kinde/jwt-validator';
+import {refreshTokens} from '../utils/refreshTokens';
 
 /**
  *
@@ -11,27 +12,34 @@ import { validateToken } from '../utils/validateToken';
  */
 export const setup = async (routerClient) => {
   try {
-    const accessTokenEncoded =
+    let accessTokenEncoded =
       await routerClient.sessionManager.getSessionItem('access_token');
 
     const isAccessTokenValid = await validateToken({
       token: accessTokenEncoded
-    })
+    });
 
     if (!isAccessTokenValid) {
-      throw new Error('Invalid access token');
+      if (!(await refreshTokens(routerClient.sessionManager))) {
+        throw new Error('Invalid access token and refresh');
+      }
+      accessTokenEncoded =
+        await routerClient.sessionManager.getSessionItem('access_token');
     }
 
-    const idTokenEncoded =
+    let idTokenEncoded =
       await routerClient.sessionManager.getSessionItem('id_token');
 
-
     const isIdTokenValid = await validateToken({
       token: idTokenEncoded
-    })
+    });
 
     if (!isIdTokenValid) {
-      throw new Error('Invalid id token');
+      if (!(await refreshTokens(routerClient.sessionManager))) {
+        throw new Error('Invalid access token and refresh');
+      }
+      idTokenEncoded =
+        await routerClient.sessionManager.getSessionItem('id_token');
     }
 
     const accessToken = jwtDecoder<KindeAccessToken>(accessTokenEncoded);

diff --git a/src/routerClients/AppRouterClient.js b/src/routerClients/AppRouterClient.js
@@ -36,13 +36,13 @@ export default class AppRouterClient extends RouterClient {
       this.clientConfig
     );
     this.url = new URL(req.url);
-    
+
     this.req = req;
     this.searchParams = req.nextUrl.searchParams;
     this.onErrorCallback = options?.onError;
   }
 
-  async createStore () {
+  async createStore() {
     this.sessionManager = appRouterSessionManager(await cookies());
   }
 

diff --git a/src/session/getAccessToken.js b/src/session/getAccessToken.js
@@ -1,6 +1,6 @@
 import {config} from '../config/index';
 import {jwtDecoder} from '@kinde/jwt-decoder';
-import { getAccessToken } from '../utils/getAccessToken';
+import {getAccessToken} from '../utils/getAccessToken';
 
 /**
  * @callback getAccessToken
@@ -17,7 +17,7 @@ import { getAccessToken } from '../utils/getAccessToken';
 export const getAccessTokenFactory = (req, res) => async () => {
   try {
     const accessToken = await getAccessToken(req, res);
-    return jwtDecoder(accessToken) 
+    return jwtDecoder(accessToken);
   } catch (err) {
     if (config.isDebugMode) {
       console.error(err);

diff --git a/src/session/getIdToken.js b/src/session/getIdToken.js
@@ -1,7 +1,7 @@
 import {sessionManager} from './sessionManager';
 import {config} from '../config/index';
 import {jwtDecoder} from '@kinde/jwt-decoder';
-import { getIdToken } from '../utils/getIdToken';
+import {getIdToken} from '../utils/getIdToken';
 
 /**
  * @callback getIdToken

diff --git a/src/session/getOrganization.ts b/src/session/getOrganization.ts
@@ -3,7 +3,7 @@ import {KindeAccessToken, KindeIdToken} from '../../types';
 import {config} from '../config/index';
 import {generateOrganizationObject} from '../utils/generateOrganizationObject';
 import {sessionManager} from './sessionManager';
-import { getAccessToken } from '../utils/getAccessToken';
+import {getAccessToken} from '../utils/getAccessToken';
 /**
  * @callback getOrganization
  * @returns {Promise<import('../../types').KindeOrganization | null>}
@@ -17,16 +17,16 @@ import { getAccessToken } from '../utils/getAccessToken';
  */
 export const getOrganizationFactory = (req, res) => async () => {
   try {
-    const idTokenString = await (await sessionManager(req, res)).getSessionItem(
-      'id_token'
-    );
+    const idTokenString = await (
+      await sessionManager(req, res)
+    ).getSessionItem('id_token');
     if (!idTokenString) {
       throw new Error('ID token is missing');
     }
     const idToken = jwtDecoder<KindeIdToken>(idTokenString as string);
 
-    const accessToken = await getAccessToken(req, res);
-    const decodedToken = jwtDecoder<KindeAccessToken>(accessToken) 
+    const accessToken = (await getAccessToken(req, res)) as string;
+    const decodedToken = jwtDecoder<KindeAccessToken>(accessToken);
 
     return generateOrganizationObject(idToken, decodedToken);
   } catch (error) {

diff --git a/src/session/getUser.ts b/src/session/getUser.ts
@@ -4,8 +4,8 @@ import {config} from '../config/index';
 import {generateUserObject} from '../utils/generateUserObject';
 import {sessionManager} from './sessionManager';
 import {jwtDecoder} from '@kinde/jwt-decoder';
-import { getAccessToken } from '../utils/getAccessToken';
-import { getIdToken } from '../utils/getIdToken';
+import {getAccessToken} from '../utils/getAccessToken';
+import {getIdToken} from '../utils/getIdToken';
 
 export const getUserFactory =
   (req: NextApiRequest, res: NextApiResponse) =>
@@ -15,13 +15,13 @@ export const getUserFactory =
       if (!rawToken) {
         return null;
       }
-      const idToken = jwtDecoder<KindeIdToken>(rawToken);
+      const idToken = jwtDecoder<KindeIdToken>(rawToken as string);
 
       const accessToken = await getAccessToken(req, res);
       if (!accessToken) {
         return null;
       }
-      const decodedToken = jwtDecoder<KindeAccessToken>(accessToken) 
+      const decodedToken = jwtDecoder<KindeAccessToken>(accessToken as string);
 
       return generateUserObject(idToken, decodedToken) as KindeUser<T>;
     } catch (error) {

diff --git a/src/session/isAuthenticated.js b/src/session/isAuthenticated.js
@@ -1,5 +1,5 @@
 import {getUserFactory} from './getUser';
-import { getAccessToken } from '../utils/getAccessToken';
+import {getAccessToken} from '../utils/getAccessToken';
 
 /**
  *

diff --git a/src/session/sessionManager.js b/src/session/sessionManager.js
@@ -30,7 +30,7 @@ const splitString = (str, length) => {
   if (length <= 0) {
     return [];
   }
-  return str.match(new RegExp(`.{1,${length}}`, 'g')) || [];  
+  return str.match(new RegExp(`.{1,${length}}`, 'g')) || [];
 };
 
 /**

diff --git a/src/utils/generateOrganizationObject.ts b/src/utils/generateOrganizationObject.ts
@@ -22,10 +22,10 @@ export const generateOrganizationObject = (
   idToken: KindeIdToken,
   accessToken: KindeAccessToken
 ) => {
-  if (!accessToken.org_code || !accessToken.org_name) {  
-    throw new Error('Missing required organization fields in access token');  
-  }  
-  
+  if (!accessToken.org_code || !accessToken.org_name) {
+    throw new Error('Missing required organization fields in access token');
+  }
+
   return {
     orgCode: accessToken.org_code,
     orgName: accessToken.org_name,

diff --git a/src/utils/getAccessToken.ts b/src/utils/getAccessToken.ts
@@ -1,36 +1,44 @@
 import {config} from '../config';
 import {sessionManager} from '../session/sessionManager';
-import { NextApiRequest, NextApiResponse } from "next";
-import { validateToken } from './validateToken';
+import {NextApiRequest, NextApiResponse} from 'next';
+import {kindeClient} from '../session/kindeServerClient';
+import {validateToken} from './validateToken';
 
-export const getAccessToken = async(req: NextApiRequest, res: NextApiResponse) => {
-    try {
-        const session = await sessionManager(req, res);
-        const token = await session.getSessionItem('access_token');
+export const getAccessToken = async (
+  req: NextApiRequest,
+  res: NextApiResponse
+) => {
+  try {
+    const session = await sessionManager(req, res);
+    const token = await session.getSessionItem('access_token');
 
-        if (!token || typeof token !== 'string') {
-            if (config.isDebugMode) {
-                console.error('getAccessToken: invalid token or token is missing');
-            }
-            return null;
-        }
+    if (!token || typeof token !== 'string') {
+      if (config.isDebugMode) {
+        console.error('getAccessToken: invalid token or token is missing');
+      }
+      return null;
+    }
 
-        const isTokenValid = await validateToken({
-            token
-          });
+    const isTokenValid = await validateToken({
+      token
+    });
 
-        if (!isTokenValid) {
-            if (config.isDebugMode) {
-                console.error('getAccessToken: invalid token');
-            }
-            return null;
-        }
+    if (!isTokenValid) {
+      // look for refresh token
+      if (await kindeClient.refreshTokens(session)) {
+        return await session.getSessionItem('access_token');
+      }
 
-        return token
-    } catch (error) {
-        if (config.isDebugMode) {
-            console.error('getAccessToken', error);
-        }
-        return null;
+      if (config.isDebugMode) {
+        console.error('getAccessToken: invalid token');
+      }
+      return null;
+    }
+    return token;
+  } catch (error) {
+    if (config.isDebugMode) {
+      console.error('getAccessToken', error);
     }
-}
+    return null;
+  }
+};
diff --git a/src/utils/getIdToken.ts b/src/utils/getIdToken.ts
@@ -1,36 +1,56 @@
 import {config} from '../config';
 import {sessionManager} from '../session/sessionManager';
-import { NextApiRequest, NextApiResponse } from "next";
-import { validateToken } from './validateToken';
+import {NextApiRequest, NextApiResponse} from 'next';
+import {validateToken} from './validateToken';
+import {kindeClient} from '../session/kindeServerClient';
 
-export const getIdToken = async(req: NextApiRequest, res: NextApiResponse) => {
-    try {
-        const session = await sessionManager(req, res);
-        const token = await session.getSessionItem('id_token');
+export const getIdToken = async (req: NextApiRequest, res: NextApiResponse) => {
+  const tokenKey = 'id_token';
+  try {
+    const session = await sessionManager(req, res);
+    const token = await session.getSessionItem(tokenKey);
 
-        if (!token || typeof token !== 'string') {
-            if (config.isDebugMode) {
-                console.error('getIdToken: invalid token or token is missing');
-            }
-            return null;
-        }
+    if (!token || typeof token !== 'string') {
+      if (config.isDebugMode) {
+        console.error('getIdToken: invalid token or token is missing');
+      }
+      return null;
+    }
 
-        const isTokenValid = await validateToken({
-            token
-          });
+    const isTokenValid = await validateToken({
+      token
+    });
 
-        if (!isTokenValid) {
-            if (config.isDebugMode) {
-                console.error('getIdToken: invalid token');
-            }
-            return null;
+    if (!isTokenValid) {
+      try {
+        const refreshSuccess = await kindeClient.refreshTokens(session);
+        if (refreshSuccess) {
+          const newToken = await session.getSessionItem(tokenKey);
+          const isNewTokenValid = await validateToken({token: newToken as string});
+          if (isNewTokenValid) {
+            return newToken;
+          }
         }
-
-        return token
-    } catch (error) {
         if (config.isDebugMode) {
-            console.error('getIdToken', error);
+          console.error('getIdToken: token refresh failed');
+        }
+      } catch (error) {
+        if (config.isDebugMode) {
+          console.error('getIdToken: error during token refresh', error);
         }
-        return null;
+      }
+
+      if (config.isDebugMode) {
+        console.error('getIdToken: invalid token');
+      }
+      return null;
+    }
+
+    return token;
+  } catch (error) {
+    if (config.isDebugMode) {
+      console.error('getIdToken', error);
     }
-}
+    return null;
+  }
+};
diff --git a/src/utils/refreshTokens.ts b/src/utils/refreshTokens.ts
@@ -0,0 +1,32 @@
+import {validateToken} from '@kinde/jwt-validator';
+import {config} from '../config';
+import {kindeClient} from '../session/kindeServerClient';
+import {SessionManager} from '@kinde-oss/kinde-typescript-sdk';
+
+export const refreshTokens = async (
+  session: SessionManager
+): Promise<boolean> => {
+  try {
+    const refreshResult = await kindeClient.refreshTokens(session);
+    if (!refreshResult) {
+      return false;
+    }
+
+    const token = await session.getSessionItem('access_token');
+
+    if (token && typeof token === 'string') {
+      const validationResult = await validateToken({
+        token,
+        domain: config.issuerURL
+      });
+
+      return validationResult.valid;
+    }
+    return false;
+  } catch (error) {
+    if (config.isDebugMode) {
+      console.error('refreshTokens', error);
+    }
+    return false;
+  }
+};