Only return refresh tokens if modified

mvantellingen · mvantellingen · commit ede342ed0f57 · 2023-07-24T15:59:19.000+02:00
Before the refresh token was always returned if the access token was
modified. But since they can be modified independently of each other we
should also check that.
diff --git a/.changeset/eight-clouds-sleep.md b/.changeset/eight-clouds-sleep.md
@@ -0,0 +1,5 @@
+---
+"@labdigital/federated-token": minor
+---
+
+Only return refresh tokens if modified
diff --git a/src/gateway.test.ts b/src/gateway.test.ts
@@ -19,6 +19,7 @@ describe("GatewayAuthPlugin", () => {
 	const typeDefs = `#graphql
  			type Query {
     		testToken(create: Boolean): String!
+    		refreshToken: String!
   		}
 	`;
 	const resolvers = {
@@ -33,9 +34,20 @@ describe("GatewayAuthPlugin", () => {
 						token: "bar",
 						exp: Date.now() + 1000,
 					});
+					context.federatedToken?.setRefreshToken("foo", "bar");
 				}
 				return JSON.stringify(context.federatedToken);
 			},
+			refreshToken: (
+				_: any,
+				context: PublicFederatedTokenContext
+			) => {
+				context.federatedToken?.setAccessToken("foo", {
+					token: "bar",
+					exp: Date.now() + 1000,
+				});
+				return JSON.stringify(context.federatedToken);
+			},
 		},
 	};
 
diff --git a/src/gateway.ts b/src/gateway.ts
@@ -46,7 +46,7 @@ export class GatewayAuthPlugin<TContext extends PublicFederatedTokenContext>
 			}
 		}
 
-		const rt = request.http?.headers.get("x-refresh-token")
+		const rt = request.http?.headers.get("x-refresh-token");
 		if (rt) {
 			await contextValue.federatedToken?.loadRefreshJWT(this.signer, rt);
 		}
@@ -58,17 +58,18 @@ export class GatewayAuthPlugin<TContext extends PublicFederatedTokenContext>
 		const { contextValue, response } = requestContext;
 		const token = contextValue?.federatedToken;
 
-		if (!token?.isModified()) {
-			return;
-		}
-		const accessToken = await token.createAccessJWT(this.signer);
-		if (accessToken) {
-			response.http.headers.set("X-Access-Token", accessToken);
+		if (token?.isAccessTokenModified()) {
+			const accessToken = await token.createAccessJWT(this.signer);
+			if (accessToken) {
+				response.http.headers.set("X-Access-Token", accessToken);
+			}
 		}
 
-		const refreshToken = await token.createRefreshJWT(this.signer);
-		if (refreshToken) {
-			response.http.headers.set("X-Refresh-Token", refreshToken);
+		if (token?.isRefreshTokenModified()) {
+			const refreshToken = await token.createRefreshJWT(this.signer);
+			if (refreshToken) {
+				response.http.headers.set("X-Refresh-Token", refreshToken);
+			}
 		}
 	}
 }
diff --git a/src/plugin.ts b/src/plugin.ts
@@ -40,14 +40,14 @@ export class FederatedAuthPlugin<TContext extends FederatedTokenContext>
 
 		const t = contextValue.federatedToken;
 
-		if (t.isModified()) {
+		if (t.isAccessTokenModified()) {
 			const val = t.dumpAccessToken();
 			if (val) {
 				response.http.headers.set("X-Access-Token", val);
 			}
 		}
 
-		if (t.refreshTokens) {
+		if (t.isRefreshTokenModified()) {
 			const val = t.dumpRefreshToken();
 			if (val) {
 				response.http.headers.set("X-Refresh-Token", val);
diff --git a/src/token.test.ts b/src/token.test.ts
@@ -11,7 +11,7 @@ describe("FederatedToken", () => {
     };
     federatedToken.setAccessToken("exampleName", token);
     assert.equal(federatedToken.tokens.exampleName, token);
-    assert.isTrue(federatedToken.isModified());
+    assert.isTrue(federatedToken.isAccessTokenModified());
   });
 
   test("setRefreshToken", () => {
@@ -20,14 +20,14 @@ describe("FederatedToken", () => {
     assert.equal(federatedToken.refreshTokens.exampleName, "exampleToken");
   });
 
-  test("isModified", () => {
+  test("isAccessTokenModified", () => {
 		const federatedToken = new FederatedToken();
-    assert.isFalse(federatedToken.isModified());
+    assert.isFalse(federatedToken.isAccessTokenModified());
     federatedToken.setAccessToken("exampleName", {
       token: "exampleToken",
       exp: 1234567890,
     });
-    assert.isTrue(federatedToken.isModified());
+    assert.isTrue(federatedToken.isAccessTokenModified());
   });
 
   test("loadAccessToken", () => {
@@ -66,7 +66,7 @@ describe("FederatedToken", () => {
     );
 
     assert.isFalse(
-      federatedToken.isModified(),
+      federatedToken.isAccessTokenModified(),
       "isModified should be false when trackModified is false and token is modified"
     );
   });
@@ -107,7 +107,7 @@ describe("FederatedToken", () => {
     );
 
     assert.isTrue(
-      federatedToken.isModified(),
+      federatedToken.isAccessTokenModified(),
       "isModified should be true when trackModified is true and token is modified"
     );
   });
diff --git a/src/token.ts b/src/token.ts
@@ -15,26 +15,33 @@ export class FederatedToken {
 	refreshTokens: Record<string, string>;
 	values: Record<string, any>;
 
-	private _modified: boolean;
+	private _accessTokenModified: boolean;
+	private _refreshTokenModified: boolean;
 
 	constructor() {
 		this.tokens = {};
 		this.refreshTokens = {};
 		this.values = {};
-		this._modified = false;
+		this._accessTokenModified = false;
+		this._refreshTokenModified = false;
 	}
 
 	setAccessToken(name: string, token: AccessToken) {
 		this.tokens[name] = token;
-		this._modified = true;
+		this._accessTokenModified = true;
 	}
 
 	setRefreshToken(name: string, token: string) {
 		this.refreshTokens[name] = token;
+		this._refreshTokenModified = true;
 	}
 
-	isModified() {
-		return this._modified;
+	isAccessTokenModified() {
+		return this._accessTokenModified;
+	}
+
+	isRefreshTokenModified() {
+		return this._refreshTokenModified;
 	}
 
 	loadAccessToken(at: string, trackModified = false) {
@@ -49,7 +56,7 @@ export class FederatedToken {
 		// Merge tokens into this object
 		for (const k in token.tokens) {
 			if (trackModified && !isEqual(this.tokens[k], token.tokens[k])) {
-				this._modified = true;
+				this._accessTokenModified = true;
 			}
 
 			this.tokens[k] = token.tokens[k];
@@ -76,7 +83,7 @@ export class FederatedToken {
 	}
 
 
-	loadRefreshToken(value: string) {
+	loadRefreshToken(value: string, trackModified = false) {
 		const refreshTokens: Record<string, string> = JSON.parse(
 			Buffer.from(value, "base64").toString("ascii")
 		);
@@ -86,6 +93,10 @@ export class FederatedToken {
 		// Merge tokens in object
 		for (const k in refreshTokens) {
 			this.refreshTokens[k] = refreshTokens[k];
+
+			if (trackModified && !isEqual(this.refreshTokens[k], refreshTokens[k])) {
+				this._refreshTokenModified = true;
+			}
 		}
 	}
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@labdigital/federated-token": minor
 +---
++
 +Only return refresh tokens if modified
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ export class GatewayAuthPlugin<TContext extends PublicFederatedTokenContext>`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`
`49`		`- const rt = request.http?.headers.get("x-refresh-token")`
	`49`	`+ const rt = request.http?.headers.get("x-refresh-token");`
`50`	`50`	`if (rt) {`
`51`	`51`	`await contextValue.federatedToken?.loadRefreshJWT(this.signer, rt);`
`52`	`52`	`}`
`@@ -58,17 +58,18 @@ export class GatewayAuthPlugin<TContext extends PublicFederatedTokenContext>`
`58`	`58`	`const { contextValue, response } = requestContext;`
`59`	`59`	`const token = contextValue?.federatedToken;`
`60`	`60`
`61`		`- if (!token?.isModified()) {`
`62`		`- return;`
`63`		`- }`
`64`		`- const accessToken = await token.createAccessJWT(this.signer);`
`65`		`- if (accessToken) {`
`66`		`- response.http.headers.set("X-Access-Token", accessToken);`
	`61`	`+ if (token?.isAccessTokenModified()) {`
	`62`	`+ const accessToken = await token.createAccessJWT(this.signer);`
	`63`	`+ if (accessToken) {`
	`64`	`+ response.http.headers.set("X-Access-Token", accessToken);`
	`65`	`+ }`
`67`	`66`	`}`
`68`	`67`
`69`		`- const refreshToken = await token.createRefreshJWT(this.signer);`
`70`		`- if (refreshToken) {`
`71`		`- response.http.headers.set("X-Refresh-Token", refreshToken);`
	`68`	`+ if (token?.isRefreshTokenModified()) {`
	`69`	`+ const refreshToken = await token.createRefreshJWT(this.signer);`
	`70`	`+ if (refreshToken) {`
	`71`	`+ response.http.headers.set("X-Refresh-Token", refreshToken);`
	`72`	`+ }`
`72`	`73`	`}`
`73`	`74`	`}`
`74`	`75`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,14 +40,14 @@ export class FederatedAuthPlugin<TContext extends FederatedTokenContext>`
`40`	`40`
`41`	`41`	`const t = contextValue.federatedToken;`
`42`	`42`
`43`		`- if (t.isModified()) {`
	`43`	`+ if (t.isAccessTokenModified()) {`
`44`	`44`	`const val = t.dumpAccessToken();`
`45`	`45`	`if (val) {`
`46`	`46`	`response.http.headers.set("X-Access-Token", val);`
`47`	`47`	`}`
`48`	`48`	`}`
`49`	`49`
`50`		`- if (t.refreshTokens) {`
	`50`	`+ if (t.isRefreshTokenModified()) {`
`51`	`51`	`const val = t.dumpRefreshToken();`
`52`	`52`	`if (val) {`
`53`	`53`	`response.http.headers.set("X-Refresh-Token", val);`