fix: revalidate tokens created prior to server startup

4 years ago · 98f21b9f6a
parent 92b29d1f06
commit 98f21b9f6a
2 changed files with 14 additions and 9 deletions
--- a/server/core/auth.js
+++ b/server/core/auth.js
@ -115,27 +115,30 @@ module.exports = {
      let mustRevalidate = false

      // Expired but still valid within N days, just renew
-      if (info instanceof Error && info.name === 'TokenExpiredError' && DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) < DateTime.fromSeconds(info.expiredAt)) {
+      if (info instanceof Error && info.name === 'TokenExpiredError' && DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) < DateTime.fromISO(info.expiredAt)) {
        mustRevalidate = true
      }

      // Check if user / group is in revokation list
-      if (user) {
+      if (user && !mustRevalidate) {
        const uRevalidate = WIKI.auth.revokationList.get(`u${_.toString(user.id)}`)
        if (uRevalidate && user.iat < uRevalidate) {
          mustRevalidate = true
-        }
-        for (const gid of user.groups) {
-          const gRevalidate = WIKI.auth.revokationList.get(`g${_.toString(gid)}`)
-          if (gRevalidate && user.iat < gRevalidate) {
-            mustRevalidate = true
+        } else if (DateTime.fromSeconds(user.iat) <= WIKI.startedAt) { // Prevent new / restarted instance from allowing revoked tokens
+          mustRevalidate = true
+        } else {
+          for (const gid of user.groups) {
+            const gRevalidate = WIKI.auth.revokationList.get(`g${_.toString(gid)}`)
+            if (gRevalidate && user.iat < gRevalidate) {
+              mustRevalidate = true
+              break
+            }
          }
        }
      }

      // Revalidate and renew token
      if (mustRevalidate) {
-        console.info('MUST REVALIDATE')
        const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
        try {
          const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)
--- a/server/index.js
+++ b/server/index.js
@ -5,6 +5,7 @@

 const path = require('path')
 const { nanoid } = require('nanoid')
+const { DateTime } = require('luxon')

 let WIKI = {
  IS_DEBUG: process.env.NODE_ENV === 'development',
@ -14,7 +15,8 @@ let WIKI = {
  SERVERPATH: path.join(process.cwd(), 'server'),
  Error: require('./helpers/error'),
  configSvc: require('./core/config'),
-  kernel: require('./core/kernel')
+  kernel: require('./core/kernel'),
+  startedAt: DateTime.utc()
 }
 global.WIKI = WIKI