feat: Invalidate access token on logout

3 years ago · 8109936ce2
parent 640908320a
commit 8109936ce2
26 changed files with 242 additions and 37 deletions
--- a/client/src/actions/core.js
+++ b/client/src/actions/core.js
@ -44,6 +44,11 @@ const logout = () => ({
  payload: {},
 });
 logout.invalidateAccessToken = () => ({
  type: ActionTypes.LOGOUT__ACCESS_TOKEN_INVALIDATE,
  payload: {},
 });
 export default {
  initializeCore,
  logout,
--- a/client/src/actions/users.js
+++ b/client/src/actions/users.js
@ -103,10 +103,11 @@ const updateUserPassword = (id, data) => ({
  },
 });
-updateUserPassword.success = (user) => ({
+updateUserPassword.success = (user, accessToken) => ({
  type: ActionTypes.USER_PASSWORD_UPDATE__SUCCESS,
  payload: {
    user,
    accessToken,
  },
 });
--- a/client/src/api/access-tokens.js
+++ b/client/src/api/access-tokens.js
@ -1,9 +1,14 @@
 import http from './http';
 import socket from './socket';
 /* Actions */
 const createAccessToken = (data, headers) => http.post('/access-tokens', data, headers);
 const deleteCurrentAccessToken = (headers) =>
  socket.delete('/access-tokens/me', undefined, headers);
 export default {
  createAccessToken,
  deleteCurrentAccessToken,
 };
--- a/client/src/components/Header/Header.jsx
+++ b/client/src/components/Header/Header.jsx
@ -15,6 +15,7 @@ const Header = React.memo(
    project,
    user,
    notifications,
    isLogouting,
    canEditProject,
    canEditUsers,
    onProjectSettingsClick,
@ -75,7 +76,11 @@ const Header = React.memo(
                )}
              </Menu.Item>
            </NotificationsPopup>
-            <UserPopup onSettingsClick={onUserSettingsClick} onLogout={onLogout}>
+            <UserPopup
              isLogouting={isLogouting}
              onSettingsClick={onUserSettingsClick}
              onLogout={onLogout}
            >
              <Menu.Item className={classNames(styles.item, styles.itemHoverable)}>
                {user.name}
              </Menu.Item>
@ -93,6 +98,7 @@ Header.propTypes = {
  user: PropTypes.object.isRequired,
  notifications: PropTypes.array.isRequired,
  /* eslint-enable react/forbid-prop-types */
  isLogouting: PropTypes.bool.isRequired,
  canEditProject: PropTypes.bool.isRequired,
  canEditUsers: PropTypes.bool.isRequired,
  onProjectSettingsClick: PropTypes.func.isRequired,
--- a/client/src/components/UserPopup/UserPopup.jsx
+++ b/client/src/components/UserPopup/UserPopup.jsx
@ -1,13 +1,13 @@
 import React, { useCallback } from 'react';
 import PropTypes from 'prop-types';
 import { useTranslation } from 'react-i18next';
-import { Menu } from 'semantic-ui-react';
+import { Button, Menu } from 'semantic-ui-react';
 import { withPopup } from '../../lib/popup';
 import { Popup } from '../../lib/custom-ui';
 import styles from './UserPopup.module.scss';
-const UserStep = React.memo(({ onSettingsClick, onLogout, onClose }) => {
+const UserStep = React.memo(({ isLogouting, onSettingsClick, onLogout, onClose }) => {
  const [t] = useTranslation();
  const handleSettingsClick = useCallback(() => {
@ -15,6 +15,17 @@ const UserStep = React.memo(({ onSettingsClick, onLogout, onClose }) => {
    onClose();
  }, [onSettingsClick, onClose]);
  let logoutMenuItemProps;
  if (isLogouting) {
    logoutMenuItemProps = {
      as: Button,
      fluid: true,
      basic: true,
      loading: true,
      disabled: true,
    };
  }
  return (
    <>
      <Popup.Header>
@ -29,7 +40,11 @@ const UserStep = React.memo(({ onSettingsClick, onLogout, onClose }) => {
              context: 'title',
            })}
          </Menu.Item>
-          <Menu.Item className={styles.menuItem} onClick={onLogout}>
+          <Menu.Item
            {...logoutMenuItemProps} // eslint-disable-line react/jsx-props-no-spreading
            className={styles.menuItem}
            onClick={onLogout}
          >
            {t('action.logOut', {
              context: 'title',
            })}
@ -41,6 +56,7 @@ const UserStep = React.memo(({ onSettingsClick, onLogout, onClose }) => {
 });
 UserStep.propTypes = {
  isLogouting: PropTypes.bool.isRequired,
  onSettingsClick: PropTypes.func.isRequired,
  onLogout: PropTypes.func.isRequired,
  onClose: PropTypes.func.isRequired,
--- a/client/src/constants/ActionTypes.js
+++ b/client/src/constants/ActionTypes.js
@ -21,6 +21,7 @@ export default {
  CORE_INITIALIZE: 'CORE_INITIALIZE',
  LOGOUT: 'LOGOUT',
  LOGOUT__ACCESS_TOKEN_INVALIDATE: 'LOGOUT__ACCESS_TOKEN_INVALIDATE',
  /* Modals */
--- a/client/src/containers/HeaderContainer.js
+++ b/client/src/containers/HeaderContainer.js
@ -6,6 +6,7 @@ import entryActions from '../entry-actions';
 import Header from '../components/Header';
 const mapStateToProps = (state) => {
  const isLogouting = selectors.selectIsLogouting(state);
  const currentUser = selectors.selectCurrentUser(state);
  const currentProject = selectors.selectCurrentProject(state);
  const notifications = selectors.selectNotificationsForCurrentUser(state);
@ -13,6 +14,7 @@ const mapStateToProps = (state) => {
  return {
    notifications,
    isLogouting,
    project: currentProject,
    user: currentUser,
    canEditProject: isCurrentUserManager,
--- a/client/src/reducers/auth.js
+++ b/client/src/reducers/auth.js
@ -1,18 +1,34 @@
 import { getAccessToken } from '../utils/access-token-storage';
 import ActionTypes from '../constants/ActionTypes';
 const initialState = {
  accessToken: getAccessToken(),
  userId: null,
 };
 // eslint-disable-next-line default-param-last
 export default (state = initialState, { type, payload }) => {
  switch (type) {
    case ActionTypes.AUTHENTICATE__SUCCESS:
      return {
        ...state,
        accessToken: payload.accessToken,
      };
    case ActionTypes.SOCKET_RECONNECT_HANDLE:
    case ActionTypes.CORE_INITIALIZE:
      return {
        ...state,
        userId: payload.user.id,
      };
    case ActionTypes.USER_PASSWORD_UPDATE__SUCCESS:
      if (payload.accessToken) {
        return {
          ...state,
          accessToken: payload.accessToken,
        };
      }
      return state;
    default:
      return state;
  }
--- a/client/src/reducers/core.js
+++ b/client/src/reducers/core.js
@ -5,6 +5,7 @@ import ModalTypes from '../constants/ModalTypes';
 const initialState = {
  isInitializing: true,
  isLogouting: false,
  currentModal: null,
 };
@ -22,6 +23,11 @@ export default (state = initialState, { type, payload }) => {
        ...state,
        isInitializing: false,
      };
    case ActionTypes.LOGOUT__ACCESS_TOKEN_INVALIDATE:
      return {
        ...state,
        isLogouting: true,
      };
    case ActionTypes.MODAL_OPEN:
      return {
        ...state,
--- a/client/src/sagas/core/index.js
+++ b/client/src/sagas/core/index.js
@ -1,9 +1,8 @@
-import { all, apply, call, fork, take } from 'redux-saga/effects';
+import { all, apply, fork, take } from 'redux-saga/effects';
 import watchers from './watchers';
 import services from './services';
 import { socket } from '../../api';
 import { removeAccessToken } from '../../utils/access-token-storage';
 import ActionTypes from '../../constants/ActionTypes';
 import Paths from '../../constants/Paths';
@ -15,6 +14,5 @@ export default function* coreSaga() {
  yield take(ActionTypes.LOGOUT);
  yield call(removeAccessToken);
  window.location.href = Paths.LOGIN;
 }
--- a/client/src/sagas/core/request.js
+++ b/client/src/sagas/core/request.js
@ -1,7 +1,8 @@
-import { call, fork, join, put, take } from 'redux-saga/effects';
+import { call, fork, join, put, select, take } from 'redux-saga/effects';
 import selectors from '../../selectors';
 import actions from '../../actions';
-import { getAccessToken } from '../../utils/access-token-storage';
+import { removeAccessToken } from '../../utils/access-token-storage';
 import ErrorCodes from '../../constants/ErrorCodes';
 let lastRequestTask;
@ -13,7 +14,7 @@ function* queueRequest(method, ...args) {
    } catch {} // eslint-disable-line no-empty
  }
-  const accessToken = yield call(getAccessToken);
+  const accessToken = yield select(selectors.selectAccessToken);
  try {
    return yield call(method, ...args, {
@ -21,6 +22,7 @@ function* queueRequest(method, ...args) {
    });
  } catch (error) {
    if (error.code === ErrorCodes.UNAUTHORIZED) {
      yield call(removeAccessToken);
      yield put(actions.logout()); // TODO: next url
      yield take();
    }
--- a/client/src/sagas/core/services/core.js
+++ b/client/src/sagas/core/services/core.js
@ -1,8 +1,11 @@
 import { call, put, take } from 'redux-saga/effects';
 import request from '../request';
 import requests from '../requests';
 import actions from '../../../actions';
 import api from '../../../api';
 import i18n from '../../../i18n';
 import { removeAccessToken } from '../../../utils/access-token-storage';
 export function* initializeCore() {
  const {
@ -60,7 +63,17 @@ export function* changeCoreLanguage(language) {
  }
 }
-export function* logout() {
+export function* logout(invalidateAccessToken = true) {
  yield call(removeAccessToken);
  if (invalidateAccessToken) {
    yield put(actions.logout.invalidateAccessToken());
    try {
      yield call(request, api.deleteCurrentAccessToken);
    } catch (error) {} // eslint-disable-line no-empty
  }
  yield put(actions.logout());
  yield take();
 }
--- a/client/src/sagas/core/services/users.js
+++ b/client/src/sagas/core/services/users.js
@ -124,11 +124,13 @@ export function* updateUserPassword(id, data) {
    return;
  }
-  if (accessTokens && accessTokens[0]) {
+  const accessToken = accessTokens && accessTokens[0];
-    yield call(setAccessToken, accessTokens[0]);
+
  if (accessToken) {
    yield call(setAccessToken, accessToken);
  }
-  yield put(actions.updateUserPassword.success(user));
+  yield put(actions.updateUserPassword.success(user, accessToken));
 }
 export function* updateCurrentUserPassword(data) {
@ -215,7 +217,7 @@ export function* handleUserDelete(user) {
  const currentUserId = yield select(selectors.selectCurrentUserId);
  if (user.id === currentUserId) {
-    yield call(logout);
+    yield call(logout, false);
  }
  yield put(actions.handleUserDelete(user));
--- a/client/src/sagas/login/index.js
+++ b/client/src/sagas/login/index.js
@ -2,18 +2,13 @@ import { all, call, cancel, fork, take } from 'redux-saga/effects';
 import watchers from './watchers';
 import services from './services';
 import { setAccessToken } from '../../utils/access-token-storage';
 import ActionTypes from '../../constants/ActionTypes';
 export default function* loginSaga() {
  const watcherTasks = yield all(watchers.map((watcher) => fork(watcher)));
-  const {
+  yield take(ActionTypes.AUTHENTICATE__SUCCESS);
    payload: { accessToken },
  } = yield take(ActionTypes.AUTHENTICATE__SUCCESS);
  yield cancel(watcherTasks);
  yield call(setAccessToken, accessToken);
  yield call(services.goToRoot);
 }
--- a/client/src/sagas/login/services/login.js
+++ b/client/src/sagas/login/services/login.js
@ -2,6 +2,7 @@ import { call, put } from 'redux-saga/effects';
 import actions from '../../../actions';
 import api from '../../../api';
 import { setAccessToken } from '../../../utils/access-token-storage';
 export function* authenticate(data) {
  yield put(actions.authenticate(data));
@ -14,6 +15,7 @@ export function* authenticate(data) {
    return;
  }
  yield call(setAccessToken, accessToken);
  yield put(actions.authenticate.success(accessToken));
 }
--- a/client/src/selectors/auth.js
+++ b/client/src/selectors/auth.js
@ -1,5 +0,0 @@
 export const selectAccessToken = ({ auth: { accessToken } }) => accessToken;
 export default {
  selectAccessToken,
 };
--- a/client/src/selectors/core.js
+++ b/client/src/selectors/core.js
@ -4,8 +4,12 @@ import isUndefined from 'lodash/isUndefined';
 import orm from '../orm';
 import Config from '../constants/Config';
 export const selectAccessToken = ({ auth: { accessToken } }) => accessToken;
 export const selectIsCoreInitializing = ({ core: { isInitializing } }) => isInitializing;
 export const selectIsLogouting = ({ core: { isLogouting } }) => isLogouting;
 const nextPosition = (items, index, excludedId) => {
  const filteredItems = isUndefined(excludedId)
    ? items
@ -94,7 +98,9 @@ export const selectNextTaskPosition = createSelector(
 );
 export default {
  selectAccessToken,
  selectIsCoreInitializing,
  selectIsLogouting,
  selectNextBoardPosition,
  selectNextListPosition,
  selectNextCardPosition,
--- a/client/src/selectors/index.js
+++ b/client/src/selectors/index.js
@ -1,5 +1,4 @@
 import router from './router';
 import auth from './auth';
 import core from './core';
 import modals from './modals';
 import users from './users';
@ -14,7 +13,6 @@ import attachments from './attachments';
 export default {
  ...router,
  ...auth,
  ...core,
  ...modals,
  ...users,
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -40,24 +40,33 @@ module.exports = {
  },
  async fn(inputs) {
    const remoteAddress = getRemoteAddress(this.req);
    const user = await sails.helpers.users.getOneByEmailOrUsername(inputs.emailOrUsername);
    if (!user) {
      sails.log.warn(
-        `Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${getRemoteAddress(
+        `Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${remoteAddress})`,
          this.req,
        )})`,
      );
      throw Errors.INVALID_EMAIL_OR_USERNAME;
    }
    if (!bcrypt.compareSync(inputs.password, user.password)) {
-      sails.log.warn(`Invalid password! (IP: ${getRemoteAddress(this.req)})`);
+      sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
      throw Errors.INVALID_PASSWORD;
    }
    const accessToken = sails.helpers.utils.createToken(user.id);
    await Session.create({
      accessToken,
      remoteAddress,
      userId: user.id,
      userAgent: this.req.headers['user-agent'],
    });
    return {
-      item: sails.helpers.utils.createToken(user.id),
+      item: accessToken,
    };
  },
 };
--- a/server/api/controllers/access-tokens/delete.js
+++ b/server/api/controllers/access-tokens/delete.js
@ -0,0 +1,16 @@
 module.exports = {
  async fn() {
    const { accessToken } = this.req;
    await Session.updateOne({
      accessToken,
      deletedAt: null,
    }).set({
      deletedAt: new Date().toUTCString(),
    });
    return {
      item: accessToken,
    };
  },
 };
--- a/server/api/controllers/users/update-password.js
+++ b/server/api/controllers/users/update-password.js
@ -1,6 +1,8 @@
 const bcrypt = require('bcrypt');
 const zxcvbn = require('zxcvbn');
 const { getRemoteAddress } = require('../../../utils/remoteAddress');
 const Errors = {
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
@ -71,6 +73,13 @@ module.exports = {
    if (user.id === currentUser.id) {
      const accessToken = sails.helpers.utils.createToken(user.id, user.passwordUpdatedAt);
      await Session.create({
        accessToken,
        userId: user.id,
        remoteAddress: getRemoteAddress(this.req),
        userAgent: this.req.headers['user-agent'],
      });
      return {
        item: user,
        included: {
--- a/server/api/helpers/utils/create-token.js
+++ b/server/api/helpers/utils/create-token.js
@ -1,3 +1,4 @@
 const { v4: uuid } = require('uuid');
 const jwt = require('jsonwebtoken');
 module.exports = {
@ -24,6 +25,9 @@ module.exports = {
        exp: iat + sails.config.custom.tokenExpiresIn * 24 * 60 * 60,
      },
      sails.config.session.secret,
      {
        keyid: uuid(),
      },
    );
  },
 };
--- a/server/api/hooks/current-user/index.js
+++ b/server/api/hooks/current-user/index.js
@ -17,6 +17,15 @@ module.exports = function defineCurrentUserHook(sails) {
      return null;
    }
    const session = await Session.findOne({
      accessToken,
      deletedAt: null,
    });
    if (!session) {
      return null;
    }
    const user = await sails.helpers.users.getOne(payload.subject);
    if (user && user.passwordChangedAt > payload.issuedAt) {
@ -43,8 +52,14 @@ module.exports = function defineCurrentUserHook(sails) {
            if (authorizationHeader && TOKEN_PATTERN.test(authorizationHeader)) {
              const accessToken = authorizationHeader.replace(TOKEN_PATTERN, '');
              const currentUser = await getUser(accessToken);
-              req.currentUser = await getUser(accessToken);
+              if (currentUser) {
                Object.assign(req, {
                  accessToken,
                  currentUser,
                });
              }
            }
            return next();
@ -52,8 +67,17 @@ module.exports = function defineCurrentUserHook(sails) {
        },
        '/attachments/*': {
          async fn(req, res, next) {
-            if (req.cookies.accessToken) {
+            const { accessToken } = req.cookies;
-              req.currentUser = await getUser(req.cookies.accessToken);
+
            if (accessToken) {
              const currentUser = await getUser(accessToken);
              if (currentUser) {
                Object.assign(req, {
                  accessToken,
                  currentUser,
                });
              }
            }
            return next();
--- a/server/api/models/Session.js
+++ b/server/api/models/Session.js
@ -0,0 +1,49 @@
 /**
 * Session.js
 *
 * @description :: A model definition represents a database table/collection.
 * @docs        :: https://sailsjs.com/docs/concepts/models-and-orm/models
 */
 module.exports = {
  attributes: {
    //  ╔═╗╦═╗╦╔╦╗╦╔╦╗╦╦  ╦╔═╗╔═╗
    //  ╠═╝╠╦╝║║║║║ ║ ║╚╗╔╝║╣ ╚═╗
    //  ╩  ╩╚═╩╩ ╩╩ ╩ ╩ ╚╝ ╚═╝╚═╝
    accessToken: {
      type: 'string',
      required: true,
      columnName: 'access_token',
    },
    remoteAddress: {
      type: 'string',
      required: true,
      columnName: 'remote_address',
    },
    userAgent: {
      type: 'string',
      isNotEmptyString: true,
      allowNull: true,
      columnName: 'user_agent',
    },
    deletedAt: {
      type: 'ref',
      columnName: 'deleted_at',
    },
    //  ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗
    //  ║╣ ║║║╠╩╗║╣  ║║╚═╗
    //  ╚═╝╩ ╩╚═╝╚═╝═╩╝╚═╝
    //  ╔═╗╔═╗╔═╗╔═╗╔═╗╦╔═╗╔╦╗╦╔═╗╔╗╔╔═╗
    //  ╠═╣╚═╗╚═╗║ ║║  ║╠═╣ ║ ║║ ║║║║╚═╗
    //  ╩ ╩╚═╝╚═╝╚═╝╚═╝╩╩ ╩ ╩ ╩╚═╝╝╚╝╚═╝
    userId: {
      model: 'User',
      required: true,
      columnName: 'user_id',
    },
  },
 };
--- a/server/config/routes.js
+++ b/server/config/routes.js
@ -10,6 +10,7 @@
 module.exports.routes = {
  'POST /api/access-tokens': 'access-tokens/create',
  'DELETE /api/access-tokens/me': 'access-tokens/delete',
  'GET /api/users': 'users/index',
  'POST /api/users': 'users/create',
--- a/server/db/migrations/20220906094517_create_session_table.js
+++ b/server/db/migrations/20220906094517_create_session_table.js
@ -0,0 +1,24 @@
 module.exports.up = (knex) =>
  knex.schema.createTable('session', (table) => {
    /* Columns */
    table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
    table.bigInteger('user_id').notNullable();
    table.text('access_token').notNullable();
    table.text('remote_address').notNullable();
    table.text('user_agent');
    table.timestamp('created_at', true);
    table.timestamp('updated_at', true);
    table.timestamp('deleted_at', true);
    /* Indexes */
    table.index('user_id');
    table.unique('access_token');
    table.index('remote_address');
  });
 module.exports.down = (knex) => knex.schema.dropTable('session');