Merge pull request #774 from ozsay/accounts-server-custom-tokens-creator

[discuss] accounts-server token creator

Author: davidyaha

packages/database-mongo/__tests__/index.ts

@@ -679,6 +679,33 @@ describe('Mongo', () => {
       expect(ret!.updatedAt).toBeTruthy();
       expect(ret!.createdAt).not.toEqual(ret!.updatedAt);
     });
+
+    it('should update session with token', async () => {
+      const token = generateRandomToken();
+      const token2 = generateRandomToken();
+      const sessionId = await databaseTests.database.createSession(session.userId, token, {
+        ip: session.ip,
+        userAgent: session.userAgent,
+      });
+      await delay(10);
+      await databaseTests.database.updateSession(
+        sessionId,
+        {
+          ip: 'new ip',
+          userAgent: 'new user agent',
+        },
+        token2
+      );
+      const ret = await databaseTests.database.findSessionById(sessionId);
+      expect(ret!.userId).toEqual(session.userId);
+      expect(ret!.ip).toEqual('new ip');
+      expect(ret!.userAgent).toEqual('new user agent');
+      expect(ret!.valid).toEqual(true);
+      expect(ret!.token).toEqual(token2);
+      expect(ret!.createdAt).toBeTruthy();
+      expect(ret!.updatedAt).toBeTruthy();
+      expect(ret!.createdAt).not.toEqual(ret!.updatedAt);
+    });
   });
 
   describe('invalidateSession', () => {

packages/database-mongo/src/mongo.ts

@@ -319,18 +319,25 @@ export class Mongo implements DatabaseInterface {
     return ret.ops[0]._id.toString();
   }
 
-  public async updateSession(sessionId: string, connection: ConnectionInformations): Promise<void> {
+  public async updateSession(
+    sessionId: string,
+    connection: ConnectionInformations,
+    newToken?: string
+  ): Promise<void> {
+    const updateClause = {
+      $set: {
+        userAgent: connection.userAgent,
+        ip: connection.ip,
+        [this.options.timestamps.updatedAt]: this.options.dateProvider(),
+      },
+    };
+
+    if (newToken) {
+      updateClause.$set.token = newToken;
+    }
+
     const _id = this.options.convertSessionIdToMongoObjectId ? toMongoID(sessionId) : sessionId;
-    await this.sessionCollection.updateOne(
-      { _id },
-      {
-        $set: {
-          userAgent: connection.userAgent,
-          ip: connection.ip,
-          [this.options.timestamps.updatedAt]: this.options.dateProvider(),
-        },
-      }
-    );
+    await this.sessionCollection.updateOne({ _id }, updateClause);
   }
 
   public async invalidateSession(sessionId: string): Promise<void> {

packages/server/__tests__/account-server.ts

@@ -540,7 +540,60 @@ describe('AccountsServer', () => {
         refreshToken: 'newRefreshToken',
       });
       const res = await accountsServer.refreshTokens(accessToken, refreshToken, 'ip', 'user agent');
-      expect(updateSession.mock.calls[0]).toEqual(['456', { ip: 'ip', userAgent: 'user agent' }]);
+      expect(updateSession.mock.calls[0]).toEqual([
+        '456',
+        { ip: 'ip', userAgent: 'user agent' },
+        undefined,
+      ]);
+      expect((res as any).user).toEqual({
+        userId: '123',
+        username: 'username',
+      });
+    });
+
+    it('updates session and returns new tokens and user with new session token', async () => {
+      const updateSession = jest.fn(() => Promise.resolve());
+      const user = {
+        userId: '123',
+        username: 'username',
+      };
+      const accountsServer = new AccountsServer(
+        {
+          db: {
+            findSessionByToken: () =>
+              Promise.resolve({
+                id: '456',
+                valid: true,
+                userId: '123',
+              }),
+            findUserById: () => Promise.resolve(user),
+            updateSession,
+          } as any,
+          tokenSecret: 'secret1',
+          createNewSessionTokenOnRefresh: true,
+          tokenCreator: {
+            createToken: async () => {
+              return '123';
+            },
+          },
+        },
+        {}
+      );
+      const { accessToken, refreshToken } = accountsServer.createTokens({
+        token: '456',
+        userId: user.userId,
+      });
+      accountsServer.createTokens = () => ({
+        accessToken: 'newAccessToken',
+        refreshToken: 'newRefreshToken',
+      });
+
+      const res = await accountsServer.refreshTokens(accessToken, refreshToken, 'ip', 'user agent');
+      expect(updateSession.mock.calls[0]).toEqual([
+        '456',
+        { ip: 'ip', userAgent: 'user agent' },
+        '123',
+      ]);
       expect((res as any).user).toEqual({
         userId: '123',
         username: 'username',

packages/server/src/accounts-server.ts

@@ -37,6 +37,7 @@ const defaultOptions = {
   userObjectSanitizer: (user: User) => user,
   sendMail,
   siteUrl: 'http://localhost:3000',
+  createNewSessionTokenOnRefresh: false,
 };
 
 export class AccountsServer {
@@ -138,7 +139,7 @@ Please change it with a strong random token.`);
    */
   public async loginWithUser(user: User, infos: ConnectionInformations): Promise<LoginResult> {
     const { ip, userAgent } = infos;
-    const token = generateRandomToken();
+    const token = await this.createSessionToken(user);
     const sessionId = await this.db.createSession(user.id, token, {
       ip,
       userAgent,
@@ -300,8 +301,14 @@ Please change it with a strong random token.`);
         if (!user) {
           throw new Error('User not found');
         }
-        const tokens = this.createTokens({ token: sessionToken, userId: user.id });
-        await this.db.updateSession(session.id, { ip, userAgent });
+
+        let newToken;
+        if (this.options.createNewSessionTokenOnRefresh) {
+          newToken = await this.createSessionToken(user);
+        }
+
+        const tokens = this.createTokens({ token: newToken || sessionToken, userId: user.id });
+        await this.db.updateSession(session.id, { ip, userAgent }, newToken);
 
         const result = {
           sessionId: session.id,
@@ -515,6 +522,12 @@ Please change it with a strong random token.`);
     const siteUrl = this.options.siteUrl;
     return `${siteUrl}/${pathFragment}/${token}`;
   }
+
+  private async createSessionToken(user: User): Promise<string> {
+    return this.options.tokenCreator
+      ? this.options.tokenCreator.createToken(user)
+      : generateRandomToken();
+  }
 }
 
 export default AccountsServer;

packages/server/src/types/accounts-server-options.ts

@@ -5,6 +5,7 @@ import { UserObjectSanitizerFunction } from './user-object-sanitizer-function';
 import { ResumeSessionValidator } from './resume-session-validator';
 import { PrepareMailFunction } from './prepare-mail-function';
 import { SendMailType } from './send-mail-type';
+import { TokenCreator } from './token-creator';
 
 export interface AccountsServerOptions {
   /**
@@ -24,4 +25,9 @@ export interface AccountsServerOptions {
   siteUrl?: string;
   prepareMail?: PrepareMailFunction;
   sendMail?: SendMailType;
+  tokenCreator?: TokenCreator;
+  /**
+   * Creates a new session token each time a user refreshes his access token
+   */
+  createNewSessionTokenOnRefresh?: boolean;
 }

packages/server/src/types/token-creator.ts

@@ -0,0 +1,5 @@
+import { User } from '@accounts/types';
+
+export interface TokenCreator {
+  createToken(user: User): Promise<string>;
+}

packages/types/src/types/database-interface.ts

@@ -70,7 +70,11 @@ export interface DatabaseInterfaceSessions {
     extraData?: object
   ): Promise<string>;
 
-  updateSession(sessionId: string, connection: ConnectionInformations): Promise<void>;
+  updateSession(
+    sessionId: string,
+    connection: ConnectionInformations,
+    newToken?: string
+  ): Promise<void>;
 
   invalidateSession(sessionId: string): Promise<void>;