feat: fix refresh token constraint

copyyt · Feb 6, 2025 · c8d2265 · c8d2265
1 parent 50e41ac
commit c8d2265
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/src/auth/auth.controller.ts b/src/auth/auth.controller.ts
@@ -87,7 +87,6 @@ export class AuthController {
     };
   }
 
-  @UseGuards(AuthGuard)
   @Post("/resend-email-otp")
   async resendEmailOtp(
     @Body() data: ResendOtpEmailDto,

diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
@@ -86,11 +86,7 @@ export class AuthService {
         Number(this.configService.get<string>("REFRESH_TOKEN_EXPIRE_DAYS")),
     );
 
-    await this.refreshTokenModel.findOneAndUpdate(
-      { userId: user._id },
-      { token, expiresAt },
-      { upsert: true, new: true },
-    );
+    await this.refreshTokenModel.create({ userId: user._id, token, expiresAt });
 
     return { token, expiry: expiresAt };
   }
@@ -130,6 +126,16 @@ export class AuthService {
     if (!user) {
       throw new UnauthorizedException("Invalid or expired refresh token");
     }
+    try {
+      await this.jwtService.verifyAsync(refreshToken, {
+        secret: this.configService.get<string>("REFRESH_SECRET_KEY"),
+      });
+    } catch {
+      throw new UnauthorizedException("Invalid or expired refresh token");
+    }
+
+    // remove the old token
+    await this.refreshTokenModel.deleteOne({ token: refreshToken });
 
     return await this.generateTokensForUser(user);
   }
@@ -227,7 +233,6 @@ export class AuthService {
     };
   }
 
-  // TODO: Protect with Auth
   async resendEmailVerificationOtp(data: ResendOtpEmailDto): Promise<{
     message: string;
   }> {

diff --git a/src/auth/schemas/refresh-token.schema.ts b/src/auth/schemas/refresh-token.schema.ts
@@ -5,7 +5,7 @@ export type RefreshTokenDocument = HydratedDocument<RefreshToken>;
 
 @Schema({ timestamps: true })
 export class RefreshToken {
-  @Prop({ required: true, unique: true, ref: "User" })
+  @Prop({ required: true, ref: "User" })
   userId: Types.ObjectId;
 
   @Prop({ required: true })