Merge branch 'apollo_jwt_withdrawSessionId' into login_call_updateUserInfos

2025-12-13 07:45:54 +00:00 · 2021-11-17 00:12:12 +01:00 · 2021-11-17 00:12:12 +01:00 · f0bfe7a7a1
commit f0bfe7a7a1
parent c9f167d07b 1f5c740359
5 changed files with 14 additions and 27 deletions
--- a/backend/src/graphql/directive/isAuthorized.ts
+++ b/backend/src/graphql/directive/isAuthorized.ts
@ -13,15 +13,9 @@ const isAuthorized: AuthChecker<any> = async (
 ) => {
  if (context.token) {
    const decoded = decode(context.token)
-    if (decoded.sessionId && decoded.sessionId !== 0) {
-      const result = await apiGet(
-        `${CONFIG.LOGIN_API_URL}checkSessionState?session_id=${decoded.sessionId}`,
-      )
-      context.sessionId = decoded.sessionId
-      context.pubKey = decoded.pubKey
-      context.setHeaders.push({ key: 'token', value: encode(decoded.sessionId, decoded.pubKey) })
-      return result.success
-    }
+    context.pubKey = decoded.pubKey
+    context.setHeaders.push({ key: 'token', value: encode(decoded.pubKey) })
+    return true
  }
  throw new Error('401 Unauthorized')
 }
--- a/backend/src/graphql/resolver/TransactionResolver.ts
+++ b/backend/src/graphql/resolver/TransactionResolver.ts
@ -516,7 +516,7 @@ export class TransactionResolver {
    }

    // validate recipient user
-    // TODO: the detour over the public key is unnecessary
+    // TODO: the detour over the public key is unnecessary sessionId is removed
    const recipiantPublicKey = await getPublicKey(email, context.sessionId)
    if (!recipiantPublicKey) {
      throw new Error('recipiant not known')
--- a/backend/src/graphql/resolver/UserResolver.ts
+++ b/backend/src/graphql/resolver/UserResolver.ts
@ -209,7 +209,7 @@ export class UserResolver {

    context.setHeaders.push({
      key: 'token',
-      value: encode(result.data.session_id, result.data.user.public_hex),
+      value: encode(result.data.user.public_hex),
    })
    const user = new User(result.data.user)
    // Hack: Database Field is not validated properly and not nullable
@ -273,13 +273,13 @@ export class UserResolver {

  @Authorized()
  @Query(() => String)
-  async logout(@Ctx() context: any): Promise<string> {
-    const payload = { session_id: context.sessionId }
-    const result = await apiPost(CONFIG.LOGIN_API_URL + 'logout', payload)
-    if (!result.success) {
-      throw new Error(result.data)
-    }
-    return 'success'
+  async logout(): Promise<boolean> {
+    // TODO: We dont need this anymore, but might need this in the future in oder to invalidate a valid JWT-Token.
+    // Furthermore this hook can be useful for tracking user behaviour (did he logout or not? Warn him if he didn't on next login)
+    // The functionality is fully client side - the client just needs to delete his token with the current implementation.
+    // we could try to force this by sending `token: null` or `token: ''` with this call. But since it bares no real security
+    // we should just return true for now.
+    return true
  }

  @Mutation(() => String)
@ -596,7 +596,6 @@ export class UserResolver {
  @Authorized()
  @Query(() => Boolean)
  async hasElopage(@Ctx() context: any): Promise<boolean> {
-    // const result = await apiGet(CONFIG.LOGIN_API_URL + 'hasElopage?session_id=' + context.sessionId)
    const userRepository = getCustomRepository(UserRepository)
    const userEntity = await userRepository.findByPubkeyHex(context.pubKey).catch()
    if (!userEntity) {
--- a/backend/src/jwt/decode.ts
+++ b/backend/src/jwt/decode.ts
@ -2,27 +2,22 @@ import jwt, { JwtPayload } from 'jsonwebtoken'
 import CONFIG from '../config/'

 interface CustomJwtPayload extends JwtPayload {
-  sessionId: number
  pubKey: Buffer
 }

 type DecodedJwt = {
  token: string
-  sessionId: number
  pubKey: Buffer
 }

 export default (token: string): DecodedJwt => {
  if (!token) throw new Error('401 Unauthorized')
-  let sessionId = null
  let pubKey = null
  try {
    const decoded = <CustomJwtPayload>jwt.verify(token, CONFIG.JWT_SECRET)
-    sessionId = decoded.sessionId
    pubKey = decoded.pubKey
    return {
      token,
-      sessionId,
      pubKey,
    }
  } catch (err) {
--- a/backend/src/jwt/encode.ts
+++ b/backend/src/jwt/encode.ts
@ -5,10 +5,9 @@ import jwt from 'jsonwebtoken'
 import CONFIG from '../config/'

 // Generate an Access Token
-export default function encode(sessionId: number, pubKey: Buffer): string {
-  const token = jwt.sign({ sessionId, pubKey }, CONFIG.JWT_SECRET, {
+export default function encode(pubKey: Buffer): string {
+  const token = jwt.sign({ pubKey }, CONFIG.JWT_SECRET, {
    expiresIn: CONFIG.JWT_EXPIRES_IN,
-    subject: sessionId.toString(),
  })
  return token
 }