demo-graphql-oauth/src/integration/refresh_token.spec.ts

import cookie = require("cookie")
import { gql } from "apollo-server-express"
import { GraphQLClient, rawRequest } from "graphql-request"
import fetch from "node-fetch"
import { createConnection } from "typeorm"
import { createServer } from "../server"
import { gqlToStr } from "../server/schema"
import {
    gqlUri,
    refreshTokenUri,
    testingConnectionOptions,
    testingPort,
} from "../server/testing"
import {
    rtCookieOptions,
    signRefreshToken,
    verifiedRefreshTokenPayload,
} from "../server/UserResolver/auth"
import { User } from "../server/UserResolver/User"

let user: User

describe("server should", () => {
    it("reject refresh token without valid cookie", async () => {
        const response = await fetch(refreshTokenUri, {
            method: "POST",
            headers: { cookie: "INVALID-COOKIE" },
        })
        const jsonResponse = await response.json()

        expect(jsonResponse.data).toBeNull()
        expect(jsonResponse.errors).not.toBeUndefined()
    })

    it("reject refresh token with tokenVersion mismatch", async () => {
        const oldRefreshToken = signRefreshToken({ uid: user.id, ver: 0 })
        const cookieHeader = cookie.serialize("rt", oldRefreshToken, rtCookieOptions())

        await user.invalidateTokens()
        const response = await fetch(refreshTokenUri, {
            method: "POST",
            headers: { cookie: cookieHeader },
        })
        const jsonResponse = await response.json()

        expect(jsonResponse.data).toBeNull()
        expect(jsonResponse.errors).not.toBeUndefined()
    })

    it("provide access token given good crendentials and grant refresh token with it", async () => {
        const halfADay = (60 * 60 * 24) / 2
        const fifteenDays = 60 * 60 * 24 * 15

        const accessTokenReponse = await rawRequest(gqlUri, gqlToStr(accessTokenMutation))
        const accessToken: string = accessTokenReponse.data.accessToken
        const headers: Headers = accessTokenReponse.headers
        const varyHeader = headers.get("vary") as string
        const acacHeader = headers.get("access-control-allow-credentials") as string
        const acaoHeader = headers.get("access-control-allow-origin") as string

        const cookieHeader = headers.get("set-cookie") as string
        const parsedCookie = cookie.parse(cookieHeader)
        const refreshCookieExpires = dateInKiloSeconds(parsedCookie.Expires)
        const refreshTokenPayload = verifiedRefreshTokenPayload(parsedCookie.rt)
        const jwtLifetime = refreshTokenPayload.exp! - refreshTokenPayload.iat!
        const refLifetime = dateInKiloSeconds(new Date().getTime() + jwtLifetime * 1000)

        const client = new GraphQLClient(gqlUri, {
            headers: {
                Authorization: "Bearer " + accessToken,
            },
        })
        const meResponse = await client.rawRequest(gqlToStr(meMutation))

        const refreshTokenResponse = await fetch(refreshTokenUri, {
            method: "POST",
            headers: { cookie: cookieHeader },
        })
        const jsonResponse = await refreshTokenResponse.json()

        expect(varyHeader).toBe("Origin")
        expect(acacHeader).toBe("true")
        expect(acaoHeader).toMatch(/http:/)

        expect(cookieHeader).toMatch(/HttpOnly/)
        expect(parsedCookie.Path).toBe("/refresh_token")
        expect(refreshTokenPayload.uid).toBe(user.id)
        expect(refreshTokenPayload.ver).toBe(user.tokenVersion)
        expect(refreshTokenPayload.msc).toBeLessThan(1000)
        expect(refreshCookieExpires).toBeCloseTo(refLifetime)
        expect(jwtLifetime).toBeGreaterThanOrEqual(halfADay)
        expect(jwtLifetime).not.toBeGreaterThan(fifteenDays)

        expect(meResponse.data.me.email).toBe("auth@server.com")

        expect(jsonResponse.data).toBeDefined()
        expect(jsonResponse.errors).toBeUndefined()
    })

    it("provide an empty rt cookie on signOut mutation", async () => {
        const signOutReponse = await rawRequest(gqlUri, gqlToStr(signOutMutation))
        const headers: Headers = signOutReponse.headers
        const cookieHeader = headers.get("set-cookie") as string
        const parsedCookie = cookie.parse(cookieHeader)

        expect(cookieHeader).toMatch(/HttpOnly/)
        expect(parsedCookie.Path).toBe("/refresh_token")
        expect(parsedCookie.rt).toBe("")
    })
})

beforeAll(async () => {
    await createConnection(testingConnectionOptions())
    await createServer(testingPort)

    await User.delete({ email: "auth@server.com" })
    user = await User.create({ email: "auth@server.com", password: "password" }).save()
})

afterAll(async () => {
    await User.delete({ email: "auth@server.com" })
})

const accessTokenMutation = gql`
    mutation {
        accessToken(email: "auth@server.com", password: "password")
    }
`

const meMutation = gql`
    mutation {
        me {
            email
        }
    }
`

const signOutMutation = gql`
    mutation {
        signOut
    }
`

const dateInKiloSeconds = (date: string | number) => new Date(date).getTime() / 1000000
add revoke and signOut 4 years ago			`import cookie = require("cookie")`
add refresh tokens feature 5 years ago			`import { gql } from "apollo-server-express"`
			`import { GraphQLClient, rawRequest } from "graphql-request"`
prepare for refresh tokens feature 5 years ago			`import fetch from "node-fetch"`
			`import { createConnection } from "typeorm"`
implement FigureResolver 4 years ago			`import { createServer } from "../server"`
			`import { gqlToStr } from "../server/schema"`
			`import {`
			`gqlUri,`
			`refreshTokenUri,`
			`testingConnectionOptions,`
			`testingPort,`
			`} from "../server/testing"`
add revoke and signOut 4 years ago			`import {`
			`rtCookieOptions,`
			`signRefreshToken,`
			`verifiedRefreshTokenPayload,`
implement FigureResolver 4 years ago			`} from "../server/UserResolver/auth"`
			`import { User } from "../server/UserResolver/User"`
add revoke and signOut 4 years ago
			`let user: User`
prepare for refresh tokens feature 5 years ago
			`describe("server should", () => {`
add revoke and signOut 4 years ago			`it("reject refresh token without valid cookie", async () => {`
			`const response = await fetch(refreshTokenUri, {`
			`method: "POST",`
			`headers: { cookie: "INVALID-COOKIE" },`
			`})`
			`const jsonResponse = await response.json()`

			`expect(jsonResponse.data).toBeNull()`
			`expect(jsonResponse.errors).not.toBeUndefined()`
			`})`

			`it("reject refresh token with tokenVersion mismatch", async () => {`
			`const oldRefreshToken = signRefreshToken({ uid: user.id, ver: 0 })`
			`const cookieHeader = cookie.serialize("rt", oldRefreshToken, rtCookieOptions())`

			`await user.invalidateTokens()`
			`const response = await fetch(refreshTokenUri, {`
			`method: "POST",`
			`headers: { cookie: cookieHeader },`
			`})`
			`const jsonResponse = await response.json()`

			`expect(jsonResponse.data).toBeNull()`
			`expect(jsonResponse.errors).not.toBeUndefined()`
			`})`

			`it("provide access token given good crendentials and grant refresh token with it", async () => {`
enable cors 4 years ago			`const halfADay = (60 * 60 * 24) / 2`
			`const fifteenDays = 60 * 60 * 24 * 15`
prepare for refresh tokens feature 5 years ago
add revoke and signOut 4 years ago			`const accessTokenReponse = await rawRequest(gqlUri, gqlToStr(accessTokenMutation))`
enable cors 4 years ago			`const accessToken: string = accessTokenReponse.data.accessToken`
			`const headers: Headers = accessTokenReponse.headers`
			`const varyHeader = headers.get("vary") as string`
			`const acacHeader = headers.get("access-control-allow-credentials") as string`
			`const acaoHeader = headers.get("access-control-allow-origin") as string`
add revoke and signOut 4 years ago
			`const cookieHeader = headers.get("set-cookie") as string`
enable cors 4 years ago			`const parsedCookie = cookie.parse(cookieHeader)`
			`const refreshCookieExpires = dateInKiloSeconds(parsedCookie.Expires)`
			`const refreshTokenPayload = verifiedRefreshTokenPayload(parsedCookie.rt)`
			`const jwtLifetime = refreshTokenPayload.exp! - refreshTokenPayload.iat!`
			`const refLifetime = dateInKiloSeconds(new Date().getTime() + jwtLifetime * 1000)`
prepare for refresh tokens feature 5 years ago
enable cors 4 years ago			`const client = new GraphQLClient(gqlUri, {`
			`headers: {`
			`Authorization: "Bearer " + accessToken,`
			`},`
			`})`
add revoke and signOut 4 years ago			`const meResponse = await client.rawRequest(gqlToStr(meMutation))`
prepare for refresh tokens feature 5 years ago
enable cors 4 years ago			`const refreshTokenResponse = await fetch(refreshTokenUri, {`
			`method: "POST",`
			`headers: { cookie: cookieHeader },`
			`})`
			`const jsonResponse = await refreshTokenResponse.json()`
prepare for refresh tokens feature 5 years ago
enable cors 4 years ago			`expect(varyHeader).toBe("Origin")`
			`expect(acacHeader).toBe("true")`
			`expect(acaoHeader).toMatch(/http:/)`
add revoke and signOut 4 years ago
enable cors 4 years ago			`expect(cookieHeader).toMatch(/HttpOnly/)`
			`expect(parsedCookie.Path).toBe("/refresh_token")`
add revoke and signOut 4 years ago			`expect(refreshTokenPayload.uid).toBe(user.id)`
			`expect(refreshTokenPayload.ver).toBe(user.tokenVersion)`
			`expect(refreshTokenPayload.msc).toBeLessThan(1000)`
enable cors 4 years ago			`expect(refreshCookieExpires).toBeCloseTo(refLifetime)`
			`expect(jwtLifetime).toBeGreaterThanOrEqual(halfADay)`
			`expect(jwtLifetime).not.toBeGreaterThan(fifteenDays)`
add revoke and signOut 4 years ago
enable cors 4 years ago			`expect(meResponse.data.me.email).toBe("auth@server.com")`
add revoke and signOut 4 years ago
enable cors 4 years ago			`expect(jsonResponse.data).toBeDefined()`
			`expect(jsonResponse.errors).toBeUndefined()`
			`})`
prepare for refresh tokens feature 5 years ago
add revoke and signOut 4 years ago			`it("provide an empty rt cookie on signOut mutation", async () => {`
			`const signOutReponse = await rawRequest(gqlUri, gqlToStr(signOutMutation))`
			`const headers: Headers = signOutReponse.headers`
			`const cookieHeader = headers.get("set-cookie") as string`
			`const parsedCookie = cookie.parse(cookieHeader)`
make tests run in parallel 5 years ago
add revoke and signOut 4 years ago			`expect(cookieHeader).toMatch(/HttpOnly/)`
			`expect(parsedCookie.Path).toBe("/refresh_token")`
			`expect(parsedCookie.rt).toBe("")`
enable cors 4 years ago			`})`
add refresh tokens feature 5 years ago			`})`
make tests run in parallel 5 years ago
add refresh tokens feature 5 years ago			`beforeAll(async () => {`
enable cors 4 years ago			`await createConnection(testingConnectionOptions())`
implement FigureResolver 4 years ago			`await createServer(testingPort)`
add revoke and signOut 4 years ago
			`await User.delete({ email: "auth@server.com" })`
			`user = await User.create({ email: "auth@server.com", password: "password" }).save()`
add refresh tokens feature 5 years ago			`})`
make tests run in parallel 5 years ago
add refresh tokens feature 5 years ago			`afterAll(async () => {`
add revoke and signOut 4 years ago			`await User.delete({ email: "auth@server.com" })`
make tests run in parallel 5 years ago			`})`
add refresh tokens feature 5 years ago
add revoke and signOut 4 years ago			const accessTokenMutation = gql`
enable cors 4 years ago			`mutation {`
			`accessToken(email: "auth@server.com", password: "password")`
			`}`
add refresh tokens feature 5 years ago			`

add revoke and signOut 4 years ago			const meMutation = gql`
			`mutation {`
enable cors 4 years ago			`me {`
			`email`
			`}`
			`}`
add refresh tokens feature 5 years ago			`

add revoke and signOut 4 years ago			const signOutMutation = gql`
			`mutation {`
			`signOut`
			`}`
			`

add refresh tokens feature 5 years ago			`const dateInKiloSeconds = (date: string \| number) => new Date(date).getTime() / 1000000`