Cutlery/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-07-09 03:04:08 -04:00
Code Issues Packages Projects Releases Wiki Activity

Use x-refresh-token for alt method of passing refresh token, check x-refresh-token for logout

Browse Source
This commit is contained in:
advplyr 2025-07-04 13:54:37 -05:00
parent f127a7beb5
commit cdc37ddb0f
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
server/Auth.js
View File

@ -483,11 +483,11 @@ class Auth {
router.post('/auth/refresh', async (req, res) => { router.post('/auth/refresh', async (req, res) => {
let refreshToken = req.cookies.refresh_token let refreshToken = req.cookies.refresh_token
// For mobile clients, the refresh token is sent in the authorization header // If x-refresh-token header is present, use it instead of the cookie
// Force return refresh token if x-return-tokens header is true // and return the refresh token in the response
let shouldReturnRefreshToken = false let shouldReturnRefreshToken = false
if (req.headers.authorization?.startsWith('Bearer ') && (!refreshToken || req.headers['x-return-tokens'] === 'true')) { if (req.headers['x-refresh-token']) {
refreshToken = req.headers.authorization.split(' ')[1] refreshToken = req.headers['x-refresh-token']
shouldReturnRefreshToken = true shouldReturnRefreshToken = true
} }
@ -495,6 +495,8 @@ class Auth {
return res.status(401).json({ error: 'No refresh token provided' }) return res.status(401).json({ error: 'No refresh token provided' })
} }
Logger.debug(`[Auth] refreshing token. shouldReturnRefreshToken: ${shouldReturnRefreshToken}`)
try { try {
// Verify the refresh token // Verify the refresh token
const decoded = jwt.verify(refreshToken, global.ServerSettings.tokenSecret) const decoded = jwt.verify(refreshToken, global.ServerSettings.tokenSecret)
@ -820,7 +822,9 @@ class Auth {
// Logout route // Logout route
router.post('/logout', async (req, res) => { router.post('/logout', async (req, res) => {
const refreshToken = req.cookies.refresh_token // Refresh token be alternatively be sent in the header
const refreshToken = req.cookies.refresh_token || req.headers['x-refresh-token']
// Clear refresh token cookie // Clear refresh token cookie
res.clearCookie('refresh_token', { res.clearCookie('refresh_token', {
path: '/' path: '/'
@ -829,12 +833,15 @@ class Auth {
// Invalidate the session in database using refresh token // Invalidate the session in database using refresh token
if (refreshToken) { if (refreshToken) {
try { try {
Logger.info(`[Auth] logout: Invalidating session for refresh token: ${refreshToken}`)
await Database.sessionModel.destroy({ await Database.sessionModel.destroy({
where: { refreshToken } where: { refreshToken }
}) })
} catch (error) { } catch (error) {
Logger.error(`[Auth] Error destroying session: ${error.message}`) Logger.error(`[Auth] Error destroying session: ${error.message}`)
} }
} else {
Logger.info(`[Auth] logout: No refresh token on request`)
} }
// TODO: invalidate possible JWTs // TODO: invalidate possible JWTs