From a4ef486e1ac71a56d72421ed37c8bc95d13dd72f Mon Sep 17 00:00:00 2001 From: James Date: Fri, 3 Jul 2020 13:15:56 -0400 Subject: [PATCH] enables refresh route to safely update httpOnly cookie --- src/auth/operations/refresh.js | 6 +++++- src/auth/requestHandlers/refresh.js | 1 + src/client/components/data/User.js | 1 - 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/auth/operations/refresh.js b/src/auth/operations/refresh.js index 6f355c6886..8caba2e127 100644 --- a/src/auth/operations/refresh.js +++ b/src/auth/operations/refresh.js @@ -21,7 +21,7 @@ const refresh = async (args) => { // 2. Perform refresh // ///////////////////////////////////// - const { secret } = options.config; + const { secret, cookiePrefix } = options.config; const opts = {}; opts.expiresIn = options.collection.config.auth.tokenExpiration; @@ -33,6 +33,10 @@ const refresh = async (args) => { delete payload.exp; const refreshedToken = jwt.sign(payload, secret, opts); + if (args.res) { + args.res.cookie(`${cookiePrefix}-token`, refreshedToken, { path: '/', httpOnly: true }); + } + // ///////////////////////////////////// // 3. Execute after login hook // ///////////////////////////////////// diff --git a/src/auth/requestHandlers/refresh.js b/src/auth/requestHandlers/refresh.js index 6fa1980dbe..1064f74abd 100644 --- a/src/auth/requestHandlers/refresh.js +++ b/src/auth/requestHandlers/refresh.js @@ -6,6 +6,7 @@ const refreshHandler = config => async (req, res) => { try { const result = await refresh({ req, + res, collection: req.collection, config, authorization: req.headers.authorization, diff --git a/src/client/components/data/User.js b/src/client/components/data/User.js index 8b7da70f51..edd481cbb0 100644 --- a/src/client/components/data/User.js +++ b/src/client/components/data/User.js @@ -125,7 +125,6 @@ const UserProvider = ({ children }) => { if (remainingTime > 0) { forceLogOut = setTimeout(() => { - logOut(); history.push(`${admin}/logout`); closeAllModals(); }, remainingTime * 1000);