fix: handle invalid tokens in refresh token operation (#3647)

* fix: handle invalid tokens in refresh token operation

* fix: check for any falsy user values instead of just nullish in token refresh

packages/payload/src/auth/operations/refresh.ts

@@ -58,7 +58,7 @@ async function refresh(incomingArgs: Arguments): Promise<Result> {
     },
   } = args
 
-  if (typeof args.token !== 'string') throw new Forbidden(args.req.t)
+  if (typeof args.token !== 'string' || !args.req.user) throw new Forbidden(args.req.t)
 
   const parsedURL = url.parse(args.req.url)
   const isGraphQL = parsedURL.pathname === config.routes.graphQL

test/auth/int.spec.ts

@@ -636,6 +636,21 @@ describe('Auth', () => {
       }).then((res) => res.json())
       expect(editorMe.user.adminOnlyField).toBeUndefined()
     })
+
+    it('should not allow refreshing an invalid token', async () => {
+      const response = await fetch(`${apiUrl}/${slug}/refresh-token`, {
+        body: JSON.stringify({
+          token: 'INVALID',
+        }),
+        headers,
+        method: 'post',
+      })
+
+      const data = await response.json()
+
+      expect(response.status).toBe(403)
+      expect(data.token).toBeUndefined()
+    })
   })
 
   describe('API Key', () => {