Fixed loggin problem added logs tho
This commit is contained in:
Chandresh Kerkar
parent
f81d81c74b
commit
2693469217
|
|
@ -635,10 +635,13 @@ router.post(
|
|||
return res.status(403).json({ error: 'Access denied from this location.' });
|
||||
}
|
||||
|
||||
console.log(`[AUTH] Refresh token request received: ip=${clientIp}, userAgent=${req.headers['user-agent']}`);
|
||||
const verification = await verifyRefreshToken(refresh_token);
|
||||
if (!verification || verification.reuseDetected) {
|
||||
console.log(`[AUTH] Refresh token verification failed: reuseDetected=${verification?.reuseDetected || false}`);
|
||||
return res.status(401).json({ error: 'Invalid refresh token' });
|
||||
}
|
||||
console.log(`[AUTH] Refresh token verified: userId=${verification.userId}, deviceId=${verification.deviceId}`);
|
||||
|
||||
const { userId, deviceId, row: tokenRow } = verification;
|
||||
|
||||
|
|
@ -705,12 +708,17 @@ router.post(
|
|||
);
|
||||
const hasRecentOtp = recentOtpCheck.rows.length > 0;
|
||||
|
||||
console.log(`[AUTH] Token refresh: userId=${userId}, deviceId=${deviceId}, ip=${clientIp}`);
|
||||
|
||||
const newAccess = signAccessToken(user, { highAssurance: hasRecentOtp });
|
||||
console.log(`[AUTH] New access token generated: userId=${userId}, expiresIn=${ACCESS_TTL}`);
|
||||
|
||||
const newRefresh = await rotateRefreshToken({
|
||||
tokenRow,
|
||||
userAgent: req.headers['user-agent'],
|
||||
ip: clientIp,
|
||||
});
|
||||
console.log(`[AUTH] New refresh token generated and rotated: userId=${userId}, deviceId=${deviceId}`);
|
||||
|
||||
// === SECURITY HARDENING: AUDIT LOGS & ANOMALY FLAGS ===
|
||||
// Log refresh event
|
||||
|
|
@ -741,9 +749,10 @@ router.post(
|
|||
// Don't fail the refresh if device update fails
|
||||
}
|
||||
|
||||
console.log(`[AUTH] Token refresh successful: userId=${userId}, deviceId=${deviceId}`);
|
||||
return res.json({ access_token: newAccess, refresh_token: newRefresh });
|
||||
} catch (err) {
|
||||
console.error('refresh error', err);
|
||||
console.error('[AUTH] refresh error', err);
|
||||
return res.status(500).json({ error: 'Internal server error' });
|
||||
}
|
||||
});
|
||||
|
|
|
|||
|
|
@ -28,7 +28,9 @@ function signAccessToken(user, options = {}) {
|
|||
payload.high_assurance = true;
|
||||
}
|
||||
|
||||
return jwt.sign(payload, ACCESS_SECRET, { expiresIn: ACCESS_TTL });
|
||||
const token = jwt.sign(payload, ACCESS_SECRET, { expiresIn: ACCESS_TTL });
|
||||
console.log(`[TOKEN_SERVICE] signAccessToken: Generated access token - userId=${user.id}, tokenVersion=${payload.token_version}, expiresIn=${ACCESS_TTL}`);
|
||||
return token;
|
||||
}
|
||||
|
||||
async function issueRefreshToken({
|
||||
|
|
@ -105,15 +107,19 @@ async function storeRefreshToken({
|
|||
}
|
||||
|
||||
async function verifyRefreshToken(rawToken) {
|
||||
console.log('[TOKEN_SERVICE] verifyRefreshToken: Starting verification');
|
||||
let payload;
|
||||
try {
|
||||
payload = jwt.verify(rawToken, REFRESH_SECRET);
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: JWT verified - userId=${payload.sub}, deviceId=${payload.device_id}, tokenId=${payload.jti}`);
|
||||
} catch (err) {
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: JWT verification failed - ${err.message}`);
|
||||
return null;
|
||||
}
|
||||
|
||||
const { sub: userId, device_id: deviceId, jti: tokenId } = payload;
|
||||
if (!tokenId) {
|
||||
console.log('[TOKEN_SERVICE] verifyRefreshToken: No tokenId in payload');
|
||||
return null;
|
||||
}
|
||||
|
||||
|
|
@ -123,29 +129,35 @@ async function verifyRefreshToken(rawToken) {
|
|||
);
|
||||
|
||||
if (rows.length === 0) {
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token not found in database - tokenId=${tokenId}`);
|
||||
return null;
|
||||
}
|
||||
|
||||
const tokenRow = rows[0];
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token found in DB - userId=${tokenRow.user_id}, deviceId=${tokenRow.device_id}, revoked=${!!tokenRow.revoked_at}`);
|
||||
|
||||
if (tokenRow.user_id !== userId || tokenRow.device_id !== deviceId) {
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: User/device mismatch - expected userId=${userId}, deviceId=${deviceId}, got userId=${tokenRow.user_id}, deviceId=${tokenRow.device_id}`);
|
||||
await handleReuse(tokenRow);
|
||||
return { reuseDetected: true };
|
||||
}
|
||||
|
||||
const match = await bcrypt.compare(rawToken, tokenRow.token_hash);
|
||||
if (!match) {
|
||||
console.log('[TOKEN_SERVICE] verifyRefreshToken: Token hash mismatch - possible reuse');
|
||||
await handleReuse(tokenRow);
|
||||
return { reuseDetected: true };
|
||||
}
|
||||
|
||||
if (tokenRow.revoked_at) {
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token revoked at ${tokenRow.revoked_at}`);
|
||||
await handleReuse(tokenRow);
|
||||
return { reuseDetected: true };
|
||||
}
|
||||
|
||||
const now = new Date();
|
||||
if (tokenRow.expires_at <= now) {
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token expired - expiresAt=${tokenRow.expires_at}, now=${now}`);
|
||||
await revokeToken(tokenRow.id);
|
||||
return null;
|
||||
}
|
||||
|
|
@ -154,6 +166,7 @@ async function verifyRefreshToken(rawToken) {
|
|||
tokenRow.last_used_at &&
|
||||
now.getTime() - new Date(tokenRow.last_used_at).getTime() > REFRESH_MAX_IDLE_MS
|
||||
) {
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token idle timeout exceeded - lastUsedAt=${tokenRow.last_used_at}`);
|
||||
await revokeToken(tokenRow.id);
|
||||
return null;
|
||||
}
|
||||
|
|
@ -162,6 +175,7 @@ async function verifyRefreshToken(rawToken) {
|
|||
`UPDATE refresh_tokens SET last_used_at = NOW() WHERE id = $1`,
|
||||
[tokenRow.id]
|
||||
);
|
||||
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token verified successfully - userId=${userId}, deviceId=${deviceId}`);
|
||||
|
||||
return { userId, deviceId, row: tokenRow };
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue