From 441004cc2146a64740554c91dd135c8c74a43d2b Mon Sep 17 00:00:00 2001 From: Oli Juhl <59018053+olivermrbl@users.noreply.github.com> Date: Wed, 6 Nov 2024 21:21:45 +0100 Subject: [PATCH] chore: Update auth flow (#9959) --- .../http/__tests__/auth/admin/auth.spec.ts | 24 ++++++++++++++++++- .../generate-reset-password-token.ts | 1 + .../src/api/auth/utils/validate-token.ts | 21 ++++++++++++---- 3 files changed, 41 insertions(+), 5 deletions(-) diff --git a/integration-tests/http/__tests__/auth/admin/auth.spec.ts b/integration-tests/http/__tests__/auth/admin/auth.spec.ts index b5e4aa6fe3..fa7e3a5019 100644 --- a/integration-tests/http/__tests__/auth/admin/auth.spec.ts +++ b/integration-tests/http/__tests__/auth/admin/auth.spec.ts @@ -1,6 +1,6 @@ import { generateResetPasswordTokenWorkflow } from "@medusajs/core-flows" -import jwt from "jsonwebtoken" import { medusaIntegrationTestRunner } from "@medusajs/test-utils" +import jwt from "jsonwebtoken" import { adminHeaders, createAdminUser, @@ -264,6 +264,28 @@ medusaIntegrationTestRunner({ expect(response.response.status).toEqual(401) expect(response.response.data.message).toEqual("Invalid token") }) + + it("should fail if no token is passed", async () => { + jest.useFakeTimers() + + // Register user + await api.post("/auth/user/emailpass/register", { + email: "test@medusa-commerce.com", + password: "secret_password", + }) + + // Advance time by 15 minutes + jest.advanceTimersByTime(15 * 60 * 1000) + + const response = await api + .post(`/auth/user/emailpass/update`, { + email: "test@medusa-commerce.com", + }) + .catch((e) => e) + + expect(response.response.status).toEqual(401) + expect(response.response.data.message).toEqual("Invalid token") + }) }) it("should refresh the token successfully", async () => { diff --git a/packages/core/core-flows/src/auth/workflows/generate-reset-password-token.ts b/packages/core/core-flows/src/auth/workflows/generate-reset-password-token.ts index c5a16035cc..a52351c138 100644 --- a/packages/core/core-flows/src/auth/workflows/generate-reset-password-token.ts +++ b/packages/core/core-flows/src/auth/workflows/generate-reset-password-token.ts @@ -56,6 +56,7 @@ export const generateResetPasswordTokenWorkflow = createWorkflow( } ) + emitEventStep({ eventName: AuthWorkflowEvents.PASSWORD_RESET, data: { entity_id: input.entityId, actorType: input.actorType, token }, diff --git a/packages/medusa/src/api/auth/utils/validate-token.ts b/packages/medusa/src/api/auth/utils/validate-token.ts index 5740a81399..c06b9358ec 100644 --- a/packages/medusa/src/api/auth/utils/validate-token.ts +++ b/packages/medusa/src/api/auth/utils/validate-token.ts @@ -5,7 +5,11 @@ import { MedusaResponse, } from "@medusajs/framework/http" import { ConfigModule, IAuthModuleService } from "@medusajs/framework/types" -import { ContainerRegistrationKeys, Modules } from "@medusajs/framework/utils" +import { + ContainerRegistrationKeys, + MedusaError, + Modules, +} from "@medusajs/framework/utils" import { decode, JwtPayload, verify } from "jsonwebtoken" // Middleware to validate that a token is valid @@ -20,8 +24,13 @@ export const validateToken = () => { const req_ = req as AuthenticatedMedusaRequest + const errorObject = new MedusaError( + MedusaError.Types.UNAUTHORIZED, + `Invalid token` + ) + if (!token) { - return next() + return next(errorObject) } // @ts-ignore @@ -33,6 +42,10 @@ export const validateToken = () => { const decoded = decode(token as string) as JwtPayload + if (!decoded?.entity_id) { + return next(errorObject) + } + const [providerIdentity] = await authModule.listProviderIdentities( { entity_id: decoded.entity_id, @@ -44,7 +57,7 @@ export const validateToken = () => { ) if (!providerIdentity) { - return res.status(401).json({ message: "Invalid token" }) + return next(errorObject) } let verified: JwtPayload | null = null @@ -52,7 +65,7 @@ export const validateToken = () => { try { verified = verify(token as string, http.jwtSecret as string) as JwtPayload } catch (error) { - return res.status(401).json({ message: "Invalid token" }) + return next(errorObject) } req_.auth_context = {