chore: Update auth flow (#9959)

2024-11-06 21:21:45 +01:00
parent 505768dd9f
commit 441004cc21
3 changed files with 41 additions and 5 deletions
--- a/integration-tests/http/tests/auth/admin/auth.spec.ts
+++ b/integration-tests/http/tests/auth/admin/auth.spec.ts
@@ -1,6 +1,6 @@
 import { generateResetPasswordTokenWorkflow } from "@medusajs/core-flows"
-import jwt from "jsonwebtoken"
 import { medusaIntegrationTestRunner } from "@medusajs/test-utils"
+import jwt from "jsonwebtoken"
 import {
  adminHeaders,
  createAdminUser,
@@ -264,6 +264,28 @@ medusaIntegrationTestRunner({
        expect(response.response.status).toEqual(401)
        expect(response.response.data.message).toEqual("Invalid token")
      })
+
+      it("should fail if no token is passed", async () => {
+        jest.useFakeTimers()
+
+        // Register user
+        await api.post("/auth/user/emailpass/register", {
+          email: "test@medusa-commerce.com",
+          password: "secret_password",
+        })
+
+        // Advance time by 15 minutes
+        jest.advanceTimersByTime(15 * 60 * 1000)
+
+        const response = await api
+          .post(`/auth/user/emailpass/update`, {
+            email: "test@medusa-commerce.com",
+          })
+          .catch((e) => e)
+
+        expect(response.response.status).toEqual(401)
+        expect(response.response.data.message).toEqual("Invalid token")
+      })
    })

    it("should refresh the token successfully", async () => {
--- a/packages/core/core-flows/src/auth/workflows/generate-reset-password-token.ts
+++ b/packages/core/core-flows/src/auth/workflows/generate-reset-password-token.ts
@@ -56,6 +56,7 @@ export const generateResetPasswordTokenWorkflow = createWorkflow(
      }
    )

+
    emitEventStep({
      eventName: AuthWorkflowEvents.PASSWORD_RESET,
      data: { entity_id: input.entityId, actorType: input.actorType, token },
--- a/packages/medusa/src/api/auth/utils/validate-token.ts
+++ b/packages/medusa/src/api/auth/utils/validate-token.ts
@@ -5,7 +5,11 @@ import {
  MedusaResponse,
 } from "@medusajs/framework/http"
 import { ConfigModule, IAuthModuleService } from "@medusajs/framework/types"
-import { ContainerRegistrationKeys, Modules } from "@medusajs/framework/utils"
+import {
+  ContainerRegistrationKeys,
+  MedusaError,
+  Modules,
+} from "@medusajs/framework/utils"
 import { decode, JwtPayload, verify } from "jsonwebtoken"

 // Middleware to validate that a token is valid
@@ -20,8 +24,13 @@ export const validateToken = () => {

    const req_ = req as AuthenticatedMedusaRequest

+    const errorObject = new MedusaError(
+      MedusaError.Types.UNAUTHORIZED,
+      `Invalid token`
+    )
+
    if (!token) {
-      return next()
+      return next(errorObject)
    }

    // @ts-ignore
@@ -33,6 +42,10 @@ export const validateToken = () => {

    const decoded = decode(token as string) as JwtPayload

+    if (!decoded?.entity_id) {
+      return next(errorObject)
+    }
+
    const [providerIdentity] = await authModule.listProviderIdentities(
      {
        entity_id: decoded.entity_id,
@@ -44,7 +57,7 @@ export const validateToken = () => {
    )

    if (!providerIdentity) {
-      return res.status(401).json({ message: "Invalid token" })
+      return next(errorObject)
    }

    let verified: JwtPayload | null = null
@@ -52,7 +65,7 @@ export const validateToken = () => {
    try {
      verified = verify(token as string, http.jwtSecret as string) as JwtPayload
    } catch (error) {
-      return res.status(401).json({ message: "Invalid token" })
+      return next(errorObject)
    }

    req_.auth_context = {