Merge pull request #291 from sasjs/issue-290

fix: in getTokensFromDB handle the scenario when tokens are expired

api/src/utils/getTokensFromDB.ts

@@ -1,6 +1,27 @@
 import jwt from 'jsonwebtoken'
 import User from '../model/User'
 
+const isValidToken = async (
+  token: string,
+  key: string,
+  userId: number,
+  clientId: string
+) => {
+  const promise = new Promise<boolean>((resolve, reject) =>
+    jwt.verify(token, key, (err, decoded) => {
+      if (err) return reject(false)
+
+      if (decoded?.userId === userId && decoded?.clientId === clientId) {
+        return resolve(true)
+      }
+
+      return reject(false)
+    })
+  )
+
+  return await promise.then(() => true).catch(() => false)
+}
+
 export const getTokensFromDB = async (userId: number, clientId: string) => {
   const user = await User.findOne({ id: userId })
   if (!user) return
@@ -13,22 +34,22 @@ export const getTokensFromDB = async (userId: number, clientId: string) => {
     const accessToken = currentTokenObj.accessToken
     const refreshToken = currentTokenObj.refreshToken
 
-    const verifiedAccessToken: any = jwt.verify(
+    const isValidAccessToken = await isValidToken(
       accessToken,
-      process.secrets.ACCESS_TOKEN_SECRET
+      process.secrets.ACCESS_TOKEN_SECRET,
+      userId,
+      clientId
     )
 
-    const verifiedRefreshToken: any = jwt.verify(
+    const isValidRefreshToken = await isValidToken(
       refreshToken,
-      process.secrets.REFRESH_TOKEN_SECRET
+      process.secrets.REFRESH_TOKEN_SECRET,
+      userId,
+      clientId
     )
 
-    if (
-      verifiedAccessToken?.userId === userId &&
-      verifiedAccessToken?.clientId === clientId &&
-      verifiedRefreshToken?.userId === userId &&
-      verifiedRefreshToken?.clientId === clientId
-    )
+    if (isValidAccessToken && isValidRefreshToken) {
       return { accessToken, refreshToken }
+    }
   }
 }