benawad / graphql-express-template

Node.js GraphQL Server template
525 stars 195 forks source link

Refresh Token being issued even if the Access Token/Refresh Token is tampered and fails to get verified #17

Open dimple1024 opened 3 years ago

dimple1024 commented 3 years ago

In index.js at Line 29 of branch - https://github.com/benawad/graphql-express-template/tree/8_refresh_token: const addUser = async (req, res, next) => { const token = req.headers['x-token']; if (token) { try { const { user } = jwt.verify(token, SECRET); req.user = user; } catch (err) { const refreshToken = req.headers['x-refresh-token'];

Here , consider a scenario if the tokens were compromised and one of them , lets say access token is now tampered , it will fail the verification and hence will enter the catch block and will generate a pair of new token. There should be an explicit check if the JWT verification fails and only if it is due to expiration of token then generate new pair of tokens.

dimple1024 commented 3 years ago

Pardon me if I am wrong :)