feat(Feat/refresh token): Implement refresh token (#29)

Ho-s · web-flow · commit ea4fd45390ea · 2024-07-31T15:01:42.000+09:00
* Feat: Implement refresh token

- Add refresh token column in user entity
- Create refresh token related strategy and guard
- The refresh token secret needs to be stored in an environment variable.

* Feat: Add sign out function
diff --git a/.example.env b/.example.env
@@ -13,6 +13,10 @@ JWT_PUBLIC_KEY= "-----BEGIN PUBLIC KEY-----
 YOUR_KEY
 -----END PUBLIC KEY-----"
 
+JWT_REFRESH_TOKEN_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
+YOUR_KEY
+-----END RSA PRIVATE KEY-----"
+
 AWS_S3_ACCESS_KEY=some_access_key
 AWS_S3_SECRET_KEY=some_secret_key
 AWS_S3_REGION=some_region
diff --git a/src/auth/auth.module.ts b/src/auth/auth.module.ts
@@ -7,6 +7,7 @@ import { UserModule } from 'src/user/user.module';
 
 import { AuthResolver } from './auth.resolver';
 import { AuthService } from './auth.service';
+import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy';
 import { JwtStrategy } from './strategies/jwt.strategy';
 import { LocalStrategy } from './strategies/local.strategy';
 
@@ -31,6 +32,12 @@ import { LocalStrategy } from './strategies/local.strategy';
     ConfigModule,
     UserModule,
   ],
-  providers: [AuthResolver, AuthService, JwtStrategy, LocalStrategy],
+  providers: [
+    AuthResolver,
+    AuthService,
+    JwtStrategy,
+    LocalStrategy,
+    JwtRefreshStrategy,
+  ],
 })
 export class AuthModule {}
diff --git a/src/auth/auth.resolver.ts b/src/auth/auth.resolver.ts
@@ -3,15 +3,20 @@ import { Args, Mutation, Resolver } from '@nestjs/graphql';
 
 import { SignInInput, SignUpInput } from 'src/auth/inputs/auth.input';
 import { CurrentUser } from 'src/common/decorators/user.decorator';
+import { RefreshGuard } from 'src/common/guards/graphql-refresh.guard';
 import { SignInGuard } from 'src/common/guards/graphql-signin.guard';
 import { User } from 'src/user/entities/user.entity';
+import { UserService } from 'src/user/user.service';
 
 import { AuthService } from './auth.service';
 import { JwtWithUser } from './entities/auth._entity';
 
 @Resolver()
 export class AuthResolver {
-  constructor(private readonly authService: AuthService) {}
+  constructor(
+    private readonly authService: AuthService,
+    private readonly userService: UserService,
+  ) {}
 
   @Mutation(() => JwtWithUser)
   @UseGuards(SignInGuard)
@@ -23,4 +28,19 @@ export class AuthResolver {
   signUp(@Args('input') input: SignUpInput) {
     return this.authService.signUp(input);
   }
+
+  @Mutation(() => Boolean)
+  @UseGuards(RefreshGuard)
+  async signOut(@CurrentUser() user: User) {
+    await this.userService.update(user.id, { refreshToken: null });
+    return true;
+  }
+
+  @Mutation(() => JwtWithUser)
+  @UseGuards(RefreshGuard)
+  refreshAccessToken(@CurrentUser() user: User) {
+    const jwt = this.authService.generateAccessToken(user, user.refreshToken);
+
+    return { jwt, user };
+  }
 }
diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
@@ -1,4 +1,5 @@
 import { BadRequestException, Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
 import { JwtService } from '@nestjs/jwt';
 
 import * as bcrypt from 'bcrypt';
@@ -15,10 +16,43 @@ export class AuthService {
   constructor(
     private readonly userService: UserService,
     private readonly jwtService: JwtService,
+    private readonly configService: ConfigService,
   ) {}
 
-  private signJWT(user: User) {
-    return this.jwtService.sign(pick(user, ['id', 'role']));
+  private async generateRefreshToken(userId: string) {
+    const refreshToken = this.jwtService.sign(
+      { id: userId },
+      {
+        secret: this.configService.get('JWT_REFRESH_TOKEN_PRIVATE_KEY'),
+        expiresIn: '7d',
+      },
+    );
+    await this.userService.update(userId, { refreshToken });
+
+    return refreshToken;
+  }
+
+  async verifyRefreshToken(
+    userId: string,
+    refreshToken: string,
+  ): Promise<User> {
+    try {
+      this.jwtService.verify(refreshToken, {
+        secret: this.configService.get('JWT_REFRESH_TOKEN_PRIVATE_KEY'),
+      });
+      return this.userService.getOne({ where: { id: userId, refreshToken } });
+    } catch (err) {
+      if (err.message === 'jwt expired') {
+        this.userService.update(userId, { refreshToken: null });
+      }
+    }
+  }
+
+  generateAccessToken(user: User, refreshToken: string) {
+    return this.jwtService.sign({
+      ...pick(user, ['id', 'role']),
+      refreshToken,
+    });
   }
 
   async signUp(input: SignUpInput): Promise<JwtWithUser> {
@@ -35,8 +69,9 @@ export class AuthService {
     return this.signIn(user);
   }
 
-  signIn(user: User) {
-    const jwt = this.signJWT(user);
+  async signIn(user: User) {
+    const refreshToken = await this.generateRefreshToken(user.id);
+    const jwt = this.generateAccessToken(user, refreshToken);
 
     return { jwt, user };
   }
diff --git a/src/auth/strategies/jwt-refresh.strategy.ts b/src/auth/strategies/jwt-refresh.strategy.ts
@@ -0,0 +1,39 @@
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { PassportStrategy } from '@nestjs/passport';
+
+import { ExtractJwt, Strategy, VerifiedCallback } from 'passport-jwt';
+
+import { AuthService } from '../auth.service';
+
+@Injectable()
+export class JwtRefreshStrategy extends PassportStrategy(
+  Strategy,
+  'jwt-refresh',
+) {
+  constructor(
+    private readonly configService: ConfigService,
+    private readonly authService: AuthService,
+  ) {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      secretOrKey: configService.get('JWT_PUBLIC_KEY'),
+    });
+  }
+
+  async validate(
+    payload: { id: string; refreshToken: string },
+    done: VerifiedCallback,
+  ) {
+    try {
+      const userData = await this.authService.verifyRefreshToken(
+        payload.id,
+        payload.refreshToken,
+      );
+
+      done(null, userData);
+    } catch (err) {
+      throw new UnauthorizedException('Error', err.message);
+    }
+  }
+}
diff --git a/src/common/guards/graphql-refresh.guard.ts b/src/common/guards/graphql-refresh.guard.ts
@@ -0,0 +1,16 @@
+import { ExecutionContext, Injectable } from '@nestjs/common';
+import { GqlExecutionContext } from '@nestjs/graphql';
+import { AuthGuard } from '@nestjs/passport';
+
+@Injectable()
+export class RefreshGuard extends AuthGuard('jwt-refresh') {
+  constructor() {
+    super();
+  }
+
+  getRequest(context: ExecutionContext) {
+    const ctx = GqlExecutionContext.create(context);
+    const req = ctx.getContext().req;
+    return req;
+  }
+}
diff --git a/src/graphql-schema.gql b/src/graphql-schema.gql
@@ -5,6 +5,7 @@
 input CreateUserInput {
   nickname: String!
   password: String!
+  refreshToken: String
   role: String!
   username: String!
 }
@@ -15,7 +16,9 @@ A date-time string at UTC, such as 2019-12-03T09:54:33Z, compliant with the date
 scalar DateTime
 
 input GetManyInput {
-  """count or data or all, default = data"""
+  """
+  count or data or all, default = data
+  """
   dataType: String
 
   """
@@ -36,10 +39,14 @@ type GetUserType {
 }
 
 input IPagination {
-  """Started from 0"""
+  """
+  Started from 0
+  """
   page: Int!
 
-  """Size of page"""
+  """
+  Size of page
+  """
   size: Int!
 }
 
@@ -57,7 +64,9 @@ type Mutation {
   createUser(input: CreateUserInput!): User!
   deleteFiles(keys: [String!]!): Boolean!
   deleteUser(id: String!): JSON!
+  refreshAccessToken: JwtWithUser!
   signIn(input: SignInInput!): JwtWithUser!
+  signOut: Boolean!
   signUp(input: SignUpInput!): JwtWithUser!
   updateUser(id: String!, input: UpdateUserInput!): JSON!
   uploadFile(file: Upload!): String!
@@ -84,18 +93,22 @@ input SignUpInput {
 input UpdateUserInput {
   nickname: String
   password: String
+  refreshToken: String
   role: String
   username: String
 }
 
-"""The `Upload` scalar type represents a file upload."""
+"""
+The `Upload` scalar type represents a file upload.
+"""
 scalar Upload
 
 type User {
   createdAt: DateTime!
   id: ID!
   nickname: String!
+  refreshToken: String
   role: String!
   updatedAt: DateTime!
   username: String!
-}
+}
diff --git a/src/user/entities/user.entity.ts b/src/user/entities/user.entity.ts
@@ -49,6 +49,10 @@ export class User {
   })
   updatedAt: Date;
 
+  @Field(() => String, { nullable: true })
+  @Column({ nullable: true })
+  refreshToken?: string;
+
   @BeforeInsert()
   @BeforeUpdate()
   async beforeInsertOrUpdate() {
diff --git a/src/user/inputs/user.input.ts b/src/user/inputs/user.input.ts
@@ -2,8 +2,10 @@ import { Field, InputType } from '@nestjs/graphql';
 
 import { IsNotEmpty, IsOptional } from 'class-validator';
 
+import { User } from '../entities/user.entity';
+
 @InputType()
-export class CreateUserInput {
+export class CreateUserInput implements Partial<User> {
   @Field(() => String)
   @IsNotEmpty()
   username: string;
@@ -19,10 +21,14 @@ export class CreateUserInput {
   @Field(() => String)
   @IsNotEmpty()
   role: 'admin' | 'user';
+
+  @Field(() => String, { nullable: true })
+  @IsOptional()
+  refreshToken?: string;
 }
 
 @InputType()
-export class UpdateUserInput {
+export class UpdateUserInput implements Partial<User> {
   @Field(() => String, { nullable: true })
   @IsOptional()
   username?: string;
@@ -38,6 +44,10 @@ export class UpdateUserInput {
   @Field(() => String, { nullable: true })
   @IsOptional()
   role?: 'admin' | 'user';
+
+  @Field(() => String, { nullable: true })
+  @IsOptional()
+  refreshToken?: string;
 }
 
 @InputType()
