🔒 fix: update refresh token handling to use plain token instead of ha…

…shed token (#5088) * 🔒 fix: update refresh token handling to use plain token instead of hashed token * 🔒 fix: simplify logoutUser by using plain refresh token for session lookup
danny-avila · Dec 23, 2024 · d6f1ecf · d6f1ecf
1 parent 04923dd
commit d6f1ecf
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 11 deletions.
diff --git a/api/server/controllers/AuthController.js b/api/server/controllers/AuthController.js
@@ -7,7 +7,6 @@ const {
   requestPasswordReset,
 } = require('~/server/services/AuthService');
 const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
-const { hashToken } = require('~/server/utils/crypto');
 const { logger } = require('~/config');
 
 const registrationController = async (req, res) => {
@@ -74,11 +73,9 @@ const refreshController = async (req, res) => {
       return res.status(200).send({ token, user });
     }
 
-    // Hash the refresh token
-    const hashedToken = await hashToken(refreshToken);
-
     // Find the session with the hashed refresh token
-    const session = await findSession({ userId: userId, refreshToken: hashedToken });
+    const session = await findSession({ userId: userId, refreshToken: refreshToken });
+
     if (session && session.expiration > new Date()) {
       const token = await setAuthTokens(userId, res, session._id);
       res.status(200).send({ token, user });

diff --git a/api/server/services/AuthService.js b/api/server/services/AuthService.js
@@ -22,7 +22,6 @@ const {
 const { isEnabled, checkEmailConfig, sendEmail } = require('~/server/utils');
 const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { registerSchema } = require('~/strategies/validators');
-const { hashToken } = require('~/server/utils/crypto');
 const { logger } = require('~/config');
 
 const domains = {
@@ -42,10 +41,7 @@ const genericVerificationMessage = 'Please check your email to verify your email
  */
 const logoutUser = async (userId, refreshToken) => {
   try {
-    const hash = await hashToken(refreshToken);
-
-    // Find the session with the matching user and refreshTokenHash
-    const session = await findSession({ userId: userId, refreshToken: hash });
+    const session = await findSession({ userId: userId, refreshToken: refreshToken });
 
     if (session) {
       try {
@@ -343,7 +339,7 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
     let refreshTokenExpires;
 
     if (sessionId) {
-      session = await findSession({ sessionId: sessionId });
+      session = await findSession({ sessionId: sessionId }, { lean: false });
       refreshTokenExpires = session.expiration.getTime();
       refreshToken = await generateRefreshToken(session);
     } else {