Open buholzer opened 7 years ago
Thanks so much for implementing the boilerplate, very helpful!
I saw that in the dynamo cache the existence of the token is not checked:
const newRefreshToken = (data) => { const userId = data.Items[0].userId; const payload = data.Items[0].payload;
https://github.com/laardee/serverless-authentication-boilerplate/blob/master/authentication/lib/storage/dynamo/dynamoCache.js#L149
Added the following check:
if (data.Count <= 0) return Promise.reject('Invalid token');
Also it looks like you can use expired tokens, the query does not restrict to expired=false:
const params = { TableName: table, ProjectionExpression: '#token, #type, #userId', KeyConditionExpression: '#token = :token and #type = :type', ExpressionAttributeNames: { '#token': 'token', '#type': 'type', '#userId': 'userId' }, ExpressionAttributeValues: { ':token': oldToken, ':type': 'REFRESH' } };
https://github.com/laardee/serverless-authentication-boilerplate/blob/master/authentication/lib/storage/dynamo/dynamoCache.js#L129
Changed params to:
const params = { TableName: table, ProjectionExpression: '#token, #type, #userId, #expired', KeyConditionExpression: '#token = :token and #type = :type', FilterExpression: '#expired = :expired', ExpressionAttributeNames: { '#token': 'token', '#type': 'type', '#userId': 'userId', '#expired': 'expired' }, ExpressionAttributeValues: { ':token': oldToken, ':type': 'REFRESH', ':expired': false } };
Thanks so much for implementing the boilerplate, very helpful!
I saw that in the dynamo cache the existence of the token is not checked:
https://github.com/laardee/serverless-authentication-boilerplate/blob/master/authentication/lib/storage/dynamo/dynamoCache.js#L149
Added the following check:
Also it looks like you can use expired tokens, the query does not restrict to expired=false:
https://github.com/laardee/serverless-authentication-boilerplate/blob/master/authentication/lib/storage/dynamo/dynamoCache.js#L129
Changed params to: