feat(auth): add workspaceId validation and token expiration (#9134)

Added validation to ensure refresh tokens include a workspaceId, throwing an exception for malformed tokens. Included workspaceId in payloads and introduced expiration handling for access tokens. This enhances token security and prevents potential misuse. Close #9126
2024-12-22 19:41:53 +03:00 · 2024-12-18 18:56:49 +01:00 · 2024-12-18 18:56:49 +01:00 · a2423fad5e
commit a2423fad5e
parent f620fd3c18
2 changed files with 11 additions and 0 deletions
--- a/packages/twenty-server/src/engine/core-modules/auth/token/services/access-token.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/token/services/access-token.service.ts
@ -100,6 +100,7 @@ export class AccessTokenService {
    return {
      token: this.jwtWrapperService.sign(jwtPayload, {
        secret: this.jwtWrapperService.generateAppSecret('ACCESS', workspaceId),
+        expiresIn,
      }),
      expiresAt,
    };
--- a/packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts
@ -90,6 +90,14 @@ export class RefreshTokenService {
      );
    }

+    // TODO: Delete this useless condition and error after March 31st 2025
+    if (!token.workspaceId) {
+      throw new AuthException(
+        'This refresh token is malformed',
+        AuthExceptionCode.INVALID_INPUT,
+      );
+    }
+
    return { user, token };
  }

@ -115,10 +123,12 @@ export class RefreshTokenService {
    const refreshTokenPayload = {
      userId,
      expiresAt,
+      workspaceId,
      type: AppTokenType.RefreshToken,
    };
    const jwtPayload = {
      sub: userId,
+      workspaceId,
    };

    const refreshToken = this.appTokenRepository.create(refreshTokenPayload);