From 2693469217bb29ebec6ddefb6a634604202cb3af Mon Sep 17 00:00:00 2001 From: Chandresh Kerkar Date: Sat, 20 Dec 2025 02:19:40 +0530 Subject: [PATCH] Fixed loggin problem added logs tho --- src/routes/authRoutes.js | 11 ++++++++++- src/services/tokenService.js | 16 +++++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/routes/authRoutes.js b/src/routes/authRoutes.js index e3e35d0..30d995a 100644 --- a/src/routes/authRoutes.js +++ b/src/routes/authRoutes.js @@ -635,10 +635,13 @@ router.post( return res.status(403).json({ error: 'Access denied from this location.' }); } + console.log(`[AUTH] Refresh token request received: ip=${clientIp}, userAgent=${req.headers['user-agent']}`); const verification = await verifyRefreshToken(refresh_token); if (!verification || verification.reuseDetected) { + console.log(`[AUTH] Refresh token verification failed: reuseDetected=${verification?.reuseDetected || false}`); return res.status(401).json({ error: 'Invalid refresh token' }); } + console.log(`[AUTH] Refresh token verified: userId=${verification.userId}, deviceId=${verification.deviceId}`); const { userId, deviceId, row: tokenRow } = verification; @@ -705,12 +708,17 @@ router.post( ); const hasRecentOtp = recentOtpCheck.rows.length > 0; + console.log(`[AUTH] Token refresh: userId=${userId}, deviceId=${deviceId}, ip=${clientIp}`); + const newAccess = signAccessToken(user, { highAssurance: hasRecentOtp }); + console.log(`[AUTH] New access token generated: userId=${userId}, expiresIn=${ACCESS_TTL}`); + const newRefresh = await rotateRefreshToken({ tokenRow, userAgent: req.headers['user-agent'], ip: clientIp, }); + console.log(`[AUTH] New refresh token generated and rotated: userId=${userId}, deviceId=${deviceId}`); // === SECURITY HARDENING: AUDIT LOGS & ANOMALY FLAGS === // Log refresh event @@ -741,9 +749,10 @@ router.post( // Don't fail the refresh if device update fails } + console.log(`[AUTH] Token refresh successful: userId=${userId}, deviceId=${deviceId}`); return res.json({ access_token: newAccess, refresh_token: newRefresh }); } catch (err) { - console.error('refresh error', err); + console.error('[AUTH] refresh error', err); return res.status(500).json({ error: 'Internal server error' }); } }); diff --git a/src/services/tokenService.js b/src/services/tokenService.js index 86af656..bec3845 100644 --- a/src/services/tokenService.js +++ b/src/services/tokenService.js @@ -28,7 +28,9 @@ function signAccessToken(user, options = {}) { payload.high_assurance = true; } - return jwt.sign(payload, ACCESS_SECRET, { expiresIn: ACCESS_TTL }); + const token = jwt.sign(payload, ACCESS_SECRET, { expiresIn: ACCESS_TTL }); + console.log(`[TOKEN_SERVICE] signAccessToken: Generated access token - userId=${user.id}, tokenVersion=${payload.token_version}, expiresIn=${ACCESS_TTL}`); + return token; } async function issueRefreshToken({ @@ -105,15 +107,19 @@ async function storeRefreshToken({ } async function verifyRefreshToken(rawToken) { + console.log('[TOKEN_SERVICE] verifyRefreshToken: Starting verification'); let payload; try { payload = jwt.verify(rawToken, REFRESH_SECRET); + console.log(`[TOKEN_SERVICE] verifyRefreshToken: JWT verified - userId=${payload.sub}, deviceId=${payload.device_id}, tokenId=${payload.jti}`); } catch (err) { + console.log(`[TOKEN_SERVICE] verifyRefreshToken: JWT verification failed - ${err.message}`); return null; } const { sub: userId, device_id: deviceId, jti: tokenId } = payload; if (!tokenId) { + console.log('[TOKEN_SERVICE] verifyRefreshToken: No tokenId in payload'); return null; } @@ -123,29 +129,35 @@ async function verifyRefreshToken(rawToken) { ); if (rows.length === 0) { + console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token not found in database - tokenId=${tokenId}`); return null; } const tokenRow = rows[0]; + console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token found in DB - userId=${tokenRow.user_id}, deviceId=${tokenRow.device_id}, revoked=${!!tokenRow.revoked_at}`); if (tokenRow.user_id !== userId || tokenRow.device_id !== deviceId) { + console.log(`[TOKEN_SERVICE] verifyRefreshToken: User/device mismatch - expected userId=${userId}, deviceId=${deviceId}, got userId=${tokenRow.user_id}, deviceId=${tokenRow.device_id}`); await handleReuse(tokenRow); return { reuseDetected: true }; } const match = await bcrypt.compare(rawToken, tokenRow.token_hash); if (!match) { + console.log('[TOKEN_SERVICE] verifyRefreshToken: Token hash mismatch - possible reuse'); await handleReuse(tokenRow); return { reuseDetected: true }; } if (tokenRow.revoked_at) { + console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token revoked at ${tokenRow.revoked_at}`); await handleReuse(tokenRow); return { reuseDetected: true }; } const now = new Date(); if (tokenRow.expires_at <= now) { + console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token expired - expiresAt=${tokenRow.expires_at}, now=${now}`); await revokeToken(tokenRow.id); return null; } @@ -154,6 +166,7 @@ async function verifyRefreshToken(rawToken) { tokenRow.last_used_at && now.getTime() - new Date(tokenRow.last_used_at).getTime() > REFRESH_MAX_IDLE_MS ) { + console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token idle timeout exceeded - lastUsedAt=${tokenRow.last_used_at}`); await revokeToken(tokenRow.id); return null; } @@ -162,6 +175,7 @@ async function verifyRefreshToken(rawToken) { `UPDATE refresh_tokens SET last_used_at = NOW() WHERE id = $1`, [tokenRow.id] ); + console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token verified successfully - userId=${userId}, deviceId=${deviceId}`); return { userId, deviceId, row: tokenRow }; }