Skip to content

Commit

Permalink
Fix refresh token expired check (#426)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lanedirt
lanedirt committed Nov 26, 2024
1 parent 4ae8405 commit 0d8143c
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions src/AliasVault.Api/Controllers/AuthController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,7 @@ public async Task<IActionResult> Register([FromBody] RegisterRequest model)
UserName = model.Username,
CreatedAt = timeProvider.UtcNow,
UpdatedAt = timeProvider.UtcNow,
PasswordChangedAt = DateTime.UtcNow,
PasswordChangedAt = timeProvider.UtcNow,
};

user.Vaults.Add(new AliasServerDb.Vault
Expand Down Expand Up @@ -708,20 +708,20 @@ private async Task<TokenModel> GenerateNewTokensForUser(AliasVaultUser user, boo
return new TokenModel { Token = accessToken, RefreshToken = existingTokenReuse.Value };
}

// Remove the existing refresh token.
var tokenToDelete = await context.AliasVaultUserRefreshTokens.FirstOrDefaultAsync(t => t.Value == existingTokenValue);
if (tokenToDelete is null)
// Check if the refresh token still exists and is not expired.
var existingToken = await context.AliasVaultUserRefreshTokens.FirstOrDefaultAsync(t => t.UserId == user.Id && t.Value == existingTokenValue);
if (existingToken == null || existingToken.ExpireDate < timeProvider.UtcNow)
{
return null;
}

context.AliasVaultUserRefreshTokens.Remove(tokenToDelete);
context.AliasVaultUserRefreshTokens.Remove(existingToken);

// New refresh token lifetime is the same as the existing one.
var existingTokenLifetime = tokenToDelete.ExpireDate - tokenToDelete.CreatedAt;
var existingTokenLifetime = existingToken.ExpireDate - existingToken.CreatedAt;

// Retrieve new refresh token.
var newRefreshToken = await GenerateRefreshToken(user, existingTokenLifetime, tokenToDelete.Value);
var newRefreshToken = await GenerateRefreshToken(user, existingTokenLifetime, existingToken.Value);

// After successfully retrieving new refresh token, remove the existing one by saving changes.
await context.SaveChangesAsync();
Expand Down

0 comments on commit 0d8143c

Please sign in to comment.