chore: Update auth flow (#9959)

integration-tests/http/__tests__/auth/admin/auth.spec.ts

@@ -1,6 +1,6 @@
 import { generateResetPasswordTokenWorkflow } from "@medusajs/core-flows"
-import jwt from "jsonwebtoken"
 import { medusaIntegrationTestRunner } from "@medusajs/test-utils"
+import jwt from "jsonwebtoken"
 import {
   adminHeaders,
   createAdminUser,
@@ -264,6 +264,28 @@ medusaIntegrationTestRunner({
         expect(response.response.status).toEqual(401)
         expect(response.response.data.message).toEqual("Invalid token")
       })
+
+      it("should fail if no token is passed", async () => {
+        jest.useFakeTimers()
+
+        // Register user
+        await api.post("/auth/user/emailpass/register", {
+          email: "test@medusa-commerce.com",
+          password: "secret_password",
+        })
+
+        // Advance time by 15 minutes
+        jest.advanceTimersByTime(15 * 60 * 1000)
+
+        const response = await api
+          .post(`/auth/user/emailpass/update`, {
+            email: "test@medusa-commerce.com",
+          })
+          .catch((e) => e)
+
+        expect(response.response.status).toEqual(401)
+        expect(response.response.data.message).toEqual("Invalid token")
+      })
     })
 
     it("should refresh the token successfully", async () => {

packages/core/core-flows/src/auth/workflows/generate-reset-password-token.ts

@@ -56,6 +56,7 @@ export const generateResetPasswordTokenWorkflow = createWorkflow(
       }
     )
 
+
     emitEventStep({
       eventName: AuthWorkflowEvents.PASSWORD_RESET,
       data: { entity_id: input.entityId, actorType: input.actorType, token },

packages/medusa/src/api/auth/utils/validate-token.ts

@@ -5,7 +5,11 @@ import {
   MedusaResponse,
 } from "@medusajs/framework/http"
 import { ConfigModule, IAuthModuleService } from "@medusajs/framework/types"
-import { ContainerRegistrationKeys, Modules } from "@medusajs/framework/utils"
+import {
+  ContainerRegistrationKeys,
+  MedusaError,
+  Modules,
+} from "@medusajs/framework/utils"
 import { decode, JwtPayload, verify } from "jsonwebtoken"
 
 // Middleware to validate that a token is valid
@@ -20,8 +24,13 @@ export const validateToken = () => {
 
     const req_ = req as AuthenticatedMedusaRequest
 
+    const errorObject = new MedusaError(
+      MedusaError.Types.UNAUTHORIZED,
+      `Invalid token`
+    )
+
     if (!token) {
-      return next()
+      return next(errorObject)
     }
 
     // @ts-ignore
@@ -33,6 +42,10 @@ export const validateToken = () => {
 
     const decoded = decode(token as string) as JwtPayload
 
+    if (!decoded?.entity_id) {
+      return next(errorObject)
+    }
+
     const [providerIdentity] = await authModule.listProviderIdentities(
       {
         entity_id: decoded.entity_id,
@@ -44,7 +57,7 @@ export const validateToken = () => {
     )
 
     if (!providerIdentity) {
-      return res.status(401).json({ message: "Invalid token" })
+      return next(errorObject)
     }
 
     let verified: JwtPayload | null = null
@@ -52,7 +65,7 @@ export const validateToken = () => {
     try {
       verified = verify(token as string, http.jwtSecret as string) as JwtPayload
     } catch (error) {
-      return res.status(401).json({ message: "Invalid token" })
+      return next(errorObject)
     }
 
     req_.auth_context = {