feat: Improve security of access tokens (#279)

Closes #275
2025-07-24 23:59:48 +02:00 · 2022-08-09 18:03:21 +02:00 · 2022-08-09 18:03:21 +02:00 · 7786533a90
commit 7786533a90
parent dab38cbc18
40 changed files with 273 additions and 133 deletions
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -49,7 +49,7 @@ module.exports = {
    }

    return {
-      item: sails.helpers.utils.signToken(user.id),
+      item: sails.helpers.utils.createToken(user.id),
    };
  },
 };
--- a/server/api/controllers/users/update-avatar.js
+++ b/server/api/controllers/users/update-avatar.js
@ -54,6 +54,7 @@ module.exports = {
          {
            avatarDirname: files[0].extra.dirname,
          },
+          currentUser,
          this.req,
        );

--- a/server/api/controllers/users/update-email.js
+++ b/server/api/controllers/users/update-email.js
@ -69,7 +69,7 @@ module.exports = {
    const values = _.pick(inputs, ['email']);

    user = await sails.helpers.users
-      .updateOne(user, values, this.req)
+      .updateOne(user, values, currentUser, this.req)
      .intercept('emailAlreadyInUse', () => Errors.EMAIL_ALREADY_IN_USE);

    if (!user) {
--- a/server/api/controllers/users/update-password.js
+++ b/server/api/controllers/users/update-password.js
@ -60,12 +60,21 @@ module.exports = {
    }

    const values = _.pick(inputs, ['password']);
-    user = await sails.helpers.users.updateOne(user, values, this.req);
+    user = await sails.helpers.users.updateOne(user, values, currentUser, this.req);

    if (!user) {
      throw Errors.USER_NOT_FOUND;
    }

+    if (user.id === currentUser.id) {
+      const accessToken = sails.helpers.utils.createToken(user.id, user.passwordUpdatedAt);
+
+      return {
+        accessToken,
+        item: user,
+      };
+    }
+
    return {
      item: user,
    };
--- a/server/api/controllers/users/update-username.js
+++ b/server/api/controllers/users/update-username.js
@ -71,7 +71,7 @@ module.exports = {
    const values = _.pick(inputs, ['username']);

    user = await sails.helpers.users
-      .updateOne(user, values, this.req)
+      .updateOne(user, values, currentUser, this.req)
      .intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE);

    if (!user) {
--- a/server/api/controllers/users/update.js
+++ b/server/api/controllers/users/update.js
@ -75,7 +75,7 @@ module.exports = {
      'subscribeToOwnCards',
    ]);

-    user = await sails.helpers.users.updateOne(user, values, this.req);
+    user = await sails.helpers.users.updateOne(user, values, currentUser, this.req);

    if (!user) {
      throw Errors.USER_NOT_FOUND;