feat: Invalidate access token on logout

2025-07-23 15:19:44 +02:00 · 2022-09-07 18:39:33 +05:00 · 2022-09-07 18:39:33 +05:00 · 8109936ce2
commit 8109936ce2
parent 640908320a
26 changed files with 242 additions and 37 deletions
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -40,24 +40,33 @@ module.exports = {
  },

  async fn(inputs) {
+    const remoteAddress = getRemoteAddress(this.req);
+
    const user = await sails.helpers.users.getOneByEmailOrUsername(inputs.emailOrUsername);

    if (!user) {
      sails.log.warn(
-        `Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${getRemoteAddress(
-          this.req,
-        )})`,
+        `Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${remoteAddress})`,
      );
      throw Errors.INVALID_EMAIL_OR_USERNAME;
    }

    if (!bcrypt.compareSync(inputs.password, user.password)) {
-      sails.log.warn(`Invalid password! (IP: ${getRemoteAddress(this.req)})`);
+      sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
      throw Errors.INVALID_PASSWORD;
    }

+    const accessToken = sails.helpers.utils.createToken(user.id);
+
+    await Session.create({
+      accessToken,
+      remoteAddress,
+      userId: user.id,
+      userAgent: this.req.headers['user-agent'],
+    });
+
    return {
-      item: sails.helpers.utils.createToken(user.id),
+      item: accessToken,
    };
  },
 };
--- a/server/api/controllers/access-tokens/delete.js
+++ b/server/api/controllers/access-tokens/delete.js
@ -0,0 +1,16 @@
+module.exports = {
+  async fn() {
+    const { accessToken } = this.req;
+
+    await Session.updateOne({
+      accessToken,
+      deletedAt: null,
+    }).set({
+      deletedAt: new Date().toUTCString(),
+    });
+
+    return {
+      item: accessToken,
+    };
+  },
+};
--- a/server/api/controllers/users/update-password.js
+++ b/server/api/controllers/users/update-password.js
@ -1,6 +1,8 @@
 const bcrypt = require('bcrypt');
 const zxcvbn = require('zxcvbn');

+const { getRemoteAddress } = require('../../../utils/remoteAddress');
+
 const Errors = {
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
@ -71,6 +73,13 @@ module.exports = {
    if (user.id === currentUser.id) {
      const accessToken = sails.helpers.utils.createToken(user.id, user.passwordUpdatedAt);

+      await Session.create({
+        accessToken,
+        userId: user.id,
+        remoteAddress: getRemoteAddress(this.req),
+        userAgent: this.req.headers['user-agent'],
+      });
+
      return {
        item: user,
        included: {