LivingAi
/
auth
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed loggin problem added logs tho

This commit is contained in:
Chandresh Kerkar 2025-12-20 02:19:40 +05:30
parent f81d81c74b
commit 2693469217
2 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/routes/authRoutes.js
View File

@ -635,10 +635,13 @@ router.post(
return res.status(403).json({ error: 'Access denied from this location.' }); return res.status(403).json({ error: 'Access denied from this location.' });
} }
console.log(`[AUTH] Refresh token request received: ip=${clientIp}, userAgent=${req.headers['user-agent']}`);
const verification = await verifyRefreshToken(refresh_token); const verification = await verifyRefreshToken(refresh_token);
if (!verification || verification.reuseDetected) { if (!verification || verification.reuseDetected) {
console.log(`[AUTH] Refresh token verification failed: reuseDetected=${verification?.reuseDetected || false}`);
return res.status(401).json({ error: 'Invalid refresh token' }); return res.status(401).json({ error: 'Invalid refresh token' });
} }
console.log(`[AUTH] Refresh token verified: userId=${verification.userId}, deviceId=${verification.deviceId}`);
const { userId, deviceId, row: tokenRow } = verification; const { userId, deviceId, row: tokenRow } = verification;
@ -705,12 +708,17 @@ router.post(
); );
const hasRecentOtp = recentOtpCheck.rows.length > 0; const hasRecentOtp = recentOtpCheck.rows.length > 0;
console.log(`[AUTH] Token refresh: userId=${userId}, deviceId=${deviceId}, ip=${clientIp}`);
const newAccess = signAccessToken(user, { highAssurance: hasRecentOtp }); const newAccess = signAccessToken(user, { highAssurance: hasRecentOtp });
console.log(`[AUTH] New access token generated: userId=${userId}, expiresIn=${ACCESS_TTL}`);
const newRefresh = await rotateRefreshToken({ const newRefresh = await rotateRefreshToken({
tokenRow, tokenRow,
userAgent: req.headers['user-agent'], userAgent: req.headers['user-agent'],
ip: clientIp, ip: clientIp,
}); });
console.log(`[AUTH] New refresh token generated and rotated: userId=${userId}, deviceId=${deviceId}`);
// === SECURITY HARDENING: AUDIT LOGS & ANOMALY FLAGS === // === SECURITY HARDENING: AUDIT LOGS & ANOMALY FLAGS ===
// Log refresh event // Log refresh event
@ -741,9 +749,10 @@ router.post(
// Don't fail the refresh if device update fails // Don't fail the refresh if device update fails
} }
console.log(`[AUTH] Token refresh successful: userId=${userId}, deviceId=${deviceId}`);
return res.json({ access_token: newAccess, refresh_token: newRefresh }); return res.json({ access_token: newAccess, refresh_token: newRefresh });
} catch (err) { } catch (err) {
console.error('refresh error', err); console.error('[AUTH] refresh error', err);
return res.status(500).json({ error: 'Internal server error' }); return res.status(500).json({ error: 'Internal server error' });
} }
}); });

16
src/services/tokenService.js
View File

@ -28,7 +28,9 @@ function signAccessToken(user, options = {}) {
payload.high_assurance = true; payload.high_assurance = true;
} }
return jwt.sign(payload, ACCESS_SECRET, { expiresIn: ACCESS_TTL }); const token = jwt.sign(payload, ACCESS_SECRET, { expiresIn: ACCESS_TTL });
console.log(`[TOKEN_SERVICE] signAccessToken: Generated access token - userId=${user.id}, tokenVersion=${payload.token_version}, expiresIn=${ACCESS_TTL}`);
return token;
} }
async function issueRefreshToken({ async function issueRefreshToken({
@ -105,15 +107,19 @@ async function storeRefreshToken({
} }
async function verifyRefreshToken(rawToken) { async function verifyRefreshToken(rawToken) {
console.log('[TOKEN_SERVICE] verifyRefreshToken: Starting verification');
let payload; let payload;
try { try {
payload = jwt.verify(rawToken, REFRESH_SECRET); payload = jwt.verify(rawToken, REFRESH_SECRET);
console.log(`[TOKEN_SERVICE] verifyRefreshToken: JWT verified - userId=${payload.sub}, deviceId=${payload.device_id}, tokenId=${payload.jti}`);
} catch (err) { } catch (err) {
console.log(`[TOKEN_SERVICE] verifyRefreshToken: JWT verification failed - ${err.message}`);
return null; return null;
} }
const { sub: userId, device_id: deviceId, jti: tokenId } = payload; const { sub: userId, device_id: deviceId, jti: tokenId } = payload;
if (!tokenId) { if (!tokenId) {
console.log('[TOKEN_SERVICE] verifyRefreshToken: No tokenId in payload');
return null; return null;
} }
@ -123,29 +129,35 @@ async function verifyRefreshToken(rawToken) {
); );
if (rows.length === 0) { if (rows.length === 0) {
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token not found in database - tokenId=${tokenId}`);
return null; return null;
} }
const tokenRow = rows[0]; const tokenRow = rows[0];
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token found in DB - userId=${tokenRow.user_id}, deviceId=${tokenRow.device_id}, revoked=${!!tokenRow.revoked_at}`);
if (tokenRow.user_id !== userId || tokenRow.device_id !== deviceId) { if (tokenRow.user_id !== userId || tokenRow.device_id !== deviceId) {
console.log(`[TOKEN_SERVICE] verifyRefreshToken: User/device mismatch - expected userId=${userId}, deviceId=${deviceId}, got userId=${tokenRow.user_id}, deviceId=${tokenRow.device_id}`);
await handleReuse(tokenRow); await handleReuse(tokenRow);
return { reuseDetected: true }; return { reuseDetected: true };
} }
const match = await bcrypt.compare(rawToken, tokenRow.token_hash); const match = await bcrypt.compare(rawToken, tokenRow.token_hash);
if (!match) { if (!match) {
console.log('[TOKEN_SERVICE] verifyRefreshToken: Token hash mismatch - possible reuse');
await handleReuse(tokenRow); await handleReuse(tokenRow);
return { reuseDetected: true }; return { reuseDetected: true };
} }
if (tokenRow.revoked_at) { if (tokenRow.revoked_at) {
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token revoked at ${tokenRow.revoked_at}`);
await handleReuse(tokenRow); await handleReuse(tokenRow);
return { reuseDetected: true }; return { reuseDetected: true };
} }
const now = new Date(); const now = new Date();
if (tokenRow.expires_at <= now) { if (tokenRow.expires_at <= now) {
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token expired - expiresAt=${tokenRow.expires_at}, now=${now}`);
await revokeToken(tokenRow.id); await revokeToken(tokenRow.id);
return null; return null;
} }
@ -154,6 +166,7 @@ async function verifyRefreshToken(rawToken) {
tokenRow.last_used_at && tokenRow.last_used_at &&
now.getTime() - new Date(tokenRow.last_used_at).getTime() > REFRESH_MAX_IDLE_MS now.getTime() - new Date(tokenRow.last_used_at).getTime() > REFRESH_MAX_IDLE_MS
) { ) {
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token idle timeout exceeded - lastUsedAt=${tokenRow.last_used_at}`);
await revokeToken(tokenRow.id); await revokeToken(tokenRow.id);
return null; return null;
} }
@ -162,6 +175,7 @@ async function verifyRefreshToken(rawToken) {
`UPDATE refresh_tokens SET last_used_at = NOW() WHERE id = $1`, `UPDATE refresh_tokens SET last_used_at = NOW() WHERE id = $1`,
[tokenRow.id] [tokenRow.id]
); );
console.log(`[TOKEN_SERVICE] verifyRefreshToken: Token verified successfully - userId=${userId}, deviceId=${deviceId}`);
return { userId, deviceId, row: tokenRow }; return { userId, deviceId, row: tokenRow };
} }