feat: Improve security of access tokens (#279)

Closes #275
2022-08-09 18:03:21 +02:00
parent dab38cbc18
commit 7786533a90
40 changed files with 273 additions and 133 deletions
--- a/server/api/helpers/utils/create-token.js
+++ b/server/api/helpers/utils/create-token.js
@@ -0,0 +1,29 @@
+const jwt = require('jsonwebtoken');
+
+module.exports = {
+  sync: true,
+
+  inputs: {
+    subject: {
+      type: 'json',
+      required: true,
+    },
+    issuedAt: {
+      type: 'ref',
+    },
+  },
+
+  fn(inputs) {
+    const { issuedAt = new Date() } = inputs;
+    const iat = Math.floor(issuedAt / 1000);
+
+    return jwt.sign(
+      {
+        iat,
+        sub: inputs.subject,
+        exp: iat + sails.config.custom.tokenExpiresIn * 24 * 60 * 60,
+      },
+      sails.config.session.secret,
+    );
+  },
+};
--- a/server/api/helpers/utils/sign-token.js
+++ b/server/api/helpers/utils/sign-token.js
@@ -1,16 +0,0 @@
-const jwt = require('jsonwebtoken');
-
-module.exports = {
-  sync: true,
-
-  inputs: {
-    payload: {
-      type: 'json',
-      required: true,
-    },
-  },
-
-  fn(inputs) {
-    return jwt.sign(inputs.payload, sails.config.session.secret);
-  },
-};
--- a/server/api/helpers/utils/verify-token.js
+++ b/server/api/helpers/utils/verify-token.js
@@ -15,10 +15,16 @@ module.exports = {
  },

  fn(inputs) {
+    let payload;
    try {
-      return jwt.verify(inputs.token, sails.config.session.secret);
+      payload = jwt.verify(inputs.token, sails.config.session.secret);
    } catch (error) {
      throw 'invalidToken';
    }
+
+    return {
+      subject: payload.sub,
+      issuedAt: new Date(payload.iat * 1000),
+    };
  },
 };