refactor/beckend: Изменить получение токенов (#158)

apps/api/src/auth/auth.service.ts

@@ -19,8 +19,8 @@
 
 @Injectable()
 export class AuthService {
-	private readonly JWT_ACCESS_TOKEN_TTL
-	private readonly JWT_REFRESH_TOKEN_TTL
+	private readonly JWT_ACCESS_TOKEN_TTL: string
+	private readonly JWT_REFRESH_TOKEN_TTL: string
 	private readonly COOKIE_DOMAIN: string
 	private readonly COOKIE_TTL: string
 
@@ -60,7 +60,7 @@
 			},
 		})
 
 		return await this.auth(res, user.id)
 	}
 
 	async login(res: Response, dto: LoginRequestDto) {
@@ -80,13 +80,13 @@
 			throw new NotFoundException('Пользователь не найден')
 		}
 
 		const isPasswordValid = await verify(user.password, password)
 
 		if (!isPasswordValid) {
 			throw new NotFoundException('Пользователь не найден')
 		}
 
 		return await this.auth(res, user.id)
 	}
 
 	async refresh(req: Request, res: Response) {
@@ -118,7 +118,7 @@
 				throw new NotFoundException('Пользователь не найден')
 			}
 
 			return await this.auth(res, user.id)
 		}
 	}
 
@@ -132,7 +132,8 @@
 			}
 		}
 
-		this.setCookie(res, 'refreshToken', new Date(0))
+		this.setCookie(res, 'refreshToken', '', new Date(0), '/auth/refresh')
+		this.setCookie(res, 'accessToken', '', new Date(0), '/')
 
 		return { message: 'Пользователь успешно вышел', success: true }
 	}
@@ -158,34 +159,52 @@
 
 		this.setCookie(
 			res,
+			'refreshToken',
 			refreshToken,
 			new Date(Date.now() + parseTTLToMs(this.COOKIE_TTL)),
+			'/auth/refresh',
 		)
 
+		this.setCookie(
+			res,
+			'accessToken',
+			accessToken,
+			new Date(Date.now() + parseTTLToMs(this.JWT_ACCESS_TOKEN_TTL)),
+			'/',
+		)
+
+		// TODO: удалить когда фронтенд перейдёт на cookie-only
 		return { accessToken }
 	}
 
 	private generateTokens(userId: string) {
 		const payload: JwtPayload = { id: userId }
 
 		const accessToken = this.jwtService.sign(payload, {
-			expiresIn: this.JWT_ACCESS_TOKEN_TTL,
+			expiresIn: parseTTLToMs(this.JWT_ACCESS_TOKEN_TTL) / 1000,
 		})
 
 		const refreshToken = this.jwtService.sign(payload, {
-			expiresIn: this.JWT_REFRESH_TOKEN_TTL,
+			expiresIn: parseTTLToMs(this.JWT_REFRESH_TOKEN_TTL) / 1000,
 		})
 
 		return { accessToken, refreshToken }
 	}
 
-	private setCookie(res: Response, value: string, expires: Date) {
-		res.cookie('refreshToken', value, {
+	private setCookie(
+		res: Response,
+		name: string,
+		value: string,
+		expires: Date,
+		path = '/',
+	) {
+		res.cookie(name, value, {
 			httpOnly: true,
 			secure: !isDev(this.configService),
 			sameSite: isDev(this.configService) ? 'lax' : 'strict',
 			domain: this.COOKIE_DOMAIN,
 			expires,
+			path,
 		})
 	}
 }

apps/api/src/strategies/jwt.strategy.ts

@@ -2,6 +2,7 @@ import { Injectable } from '@nestjs/common'
 import { ConfigService } from '@nestjs/config'
 import { PassportStrategy } from '@nestjs/passport'
 import { ExtractJwt, Strategy } from 'passport-jwt'
+import type { Request } from 'express'
 import { AuthService } from 'src/auth/auth.service'
 import { JwtPayload } from 'src/auth/interfaces/jwt.interface'
 
@@ -12,7 +13,10 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
 		private readonly configService: ConfigService,
 	) {
 		super({
-			jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+			jwtFromRequest: ExtractJwt.fromExtractors([
+				ExtractJwt.fromAuthHeaderAsBearerToken(),
+				(req: Request) => req?.cookies?.['accessToken'] ?? null,
+			]),
 			ignoreExpiration: false,
 			secretOrKey: configService.getOrThrow<string>('JWT_SECRET'),
 			algorithms: ['HS256'],

apps/web/proxy.ts

@@ -8,15 +8,15 @@ import { NextResponse, type NextRequest, type ProxyConfig } from 'next/server'
 
 export function proxy(request: NextRequest) {
 	const { pathname, search } = request.nextUrl
-	const refreshToken = !!request.cookies.get('refreshToken')?.value
+	const accessToken = !!request.cookies.get('accessToken')?.value
 
-	if (!refreshToken && isProtectedRoute(pathname)) {
+	if (!accessToken && isProtectedRoute(pathname)) {
 		const url = new URL(ROUTES.login, request.url)
 		url.searchParams.set(ROUTE_QUERY_PARAMS.from, `${pathname}${search}`)
 		return NextResponse.redirect(url)
 	}
 
-	if (refreshToken && isAuthRoute(pathname)) {
+	if (accessToken && isAuthRoute(pathname)) {
 		return NextResponse.redirect(new URL(ROUTES.teams, request.url))
 	}