use cookie to send refreshToken

2023-02-27 22:49:58 +08:00 · 2023-02-27 22:49:58 +08:00 · 699897b071
commit 699897b071
parent 9be9a1a2b3
9 changed files with 115 additions and 30 deletions
--- a/package.json
+++ b/package.json
@ -39,6 +39,8 @@
    "bcrypt": "^5.1.0",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.14.0",
    "cookie-parser": "^1.4.6",
    "ms": "3.0.0-canary.1",
    "nestjs-prisma": "^0.20.0",
    "nodemailer": "^6.9.1",
    "passport": "^0.6.0",
@ -50,6 +52,7 @@
    "@nestjs/cli": "^9.0.0",
    "@nestjs/schematics": "^9.0.0",
    "@types/bcrypt": "^5.0.0",
    "@types/cookie-parser": "^1.4.3",
    "@types/express": "^4.17.13",
    "@types/node": "18.11.18",
    "@types/passport-jwt": "^3.0.8",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -14,6 +14,7 @@ specifiers:
  '@nestjs/swagger': ^6.2.1
  '@prisma/client': ^4.10.1
  '@types/bcrypt': ^5.0.0
  '@types/cookie-parser': ^1.4.3
  '@types/express': ^4.17.13
  '@types/jsonwebtoken': ^9.0.1
  '@types/node': 18.11.18
@ -23,11 +24,13 @@ specifiers:
  bcrypt: ^5.1.0
  class-transformer: ^0.5.1
  class-validator: ^0.14.0
  cookie-parser: ^1.4.6
  eslint: ^8.0.1
  eslint-config-prettier: ^8.3.0
  eslint-plugin-prettier: ^4.0.0
  husky: ^8.0.0
  lint-staged: ^13.1.2
  ms: 3.0.0-canary.1
  nestjs-prisma: ^0.20.0
  nodemailer: ^6.9.1
  passport: ^0.6.0
@ -58,6 +61,8 @@ dependencies:
  bcrypt: 5.1.0
  class-transformer: 0.5.1
  class-validator: 0.14.0
  cookie-parser: 1.4.6
  ms: 3.0.0-canary.1
  nestjs-prisma: 0.20.0_uhhmeuf5jto6tk72f36tv2cdfe
  nodemailer: 6.9.1
  passport: 0.6.0
@ -69,6 +74,7 @@ devDependencies:
  '@nestjs/cli': 9.2.0
  '@nestjs/schematics': 9.0.4_typescript@4.9.5
  '@types/bcrypt': 5.0.0
  '@types/cookie-parser': 1.4.3
  '@types/express': 4.17.17
  '@types/node': 18.11.18
  '@types/passport-jwt': 3.0.8
@ -756,6 +762,12 @@ packages:
      '@types/node': 18.11.18
    dev: true
  /@types/cookie-parser/1.4.3:
    resolution: {integrity: sha512-CqSKwFwefj4PzZ5n/iwad/bow2hTCh0FlNAeWLtQM3JA/NX/iYagIpWG2cf1bQKQ2c9gU2log5VUCrn7LDOs0w==}
    dependencies:
      '@types/express': 4.17.17
    dev: true
  /@types/ejs/3.1.2:
    resolution: {integrity: sha512-ZmiaE3wglXVWBM9fyVC17aGPkLo/UgaOjEiI2FXQfyczrCefORPxIe+2dVmnmk3zkVIbizjrlQzmPGhSYGXG5g==}
    requiresBuild: true
@ -1754,10 +1766,23 @@ packages:
    engines: {node: '>= 0.6'}
    dev: false
  /cookie-parser/1.4.6:
    resolution: {integrity: sha512-z3IzaNjdwUC2olLIB5/ITd0/setiaFMLYiZJle7xg5Fe9KWAceil7xszYfHHBtDFYLSgJduS2Ty0P1uJdPDJeA==}
    engines: {node: '>= 0.8.0'}
    dependencies:
      cookie: 0.4.1
      cookie-signature: 1.0.6
    dev: false
  /cookie-signature/1.0.6:
    resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==}
    dev: false
  /cookie/0.4.1:
    resolution: {integrity: sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA==}
    engines: {node: '>= 0.6'}
    dev: false
  /cookie/0.5.0:
    resolution: {integrity: sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==}
    engines: {node: '>= 0.6'}
@ -3989,6 +4014,11 @@ packages:
    resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
    dev: false
  /ms/3.0.0-canary.1:
    resolution: {integrity: sha512-kh8ARjh8rMN7Du2igDRO9QJnqCb2xYTJxyQYK7vJJS4TvLLmsbyhiKpSW+t+y26gyOyMd0riphX0GeWKU3ky5g==}
    engines: {node: '>=12.13'}
    dev: false
  /multer/1.4.4-lts.1:
    resolution: {integrity: sha512-WeSGziVj6+Z2/MwQo3GvqzgR+9Uc+qt8SwHKh3gvNPiISKfsMfG4SvCOFYlxxgkXt7yIV2i1yczehm0EOKIxIg==}
    engines: {node: '>= 6.0.0'}
--- a/src/common/configs/security.config.ts
+++ b/src/common/configs/security.config.ts
@ -1,10 +1,11 @@
 import { registerAs, ConfigType } from '@nestjs/config'
 import ms, { StringValue } from 'ms'
 export const securityConfig = registerAs('security', () => ({
  jwt_access_secret: process.env.JWT_ACCESS_SECRET || 'JWT_ACCESS_SECRET',
  jwt_refresh_secret: process.env.JWT_REFRESH_SECRET || 'JWT_REFRESH_SECRET',
-  expiresIn: process.env.expiresIn || '15m',
+  expiresIn: ms((process.env.expiresIn || '15m') as StringValue),
-  refreshIn: process.env.refreshIn || '7d',
+  refreshIn: ms((process.env.refreshIn || '7d') as StringValue),
  bcryptSaltOrRound: Number(process.env.bcryptSaltOrRound) || 10,
 }))
--- a/src/common/decorators/cookies.decorator.ts
+++ b/src/common/decorators/cookies.decorator.ts
@ -0,0 +1,9 @@
 import { createParamDecorator, ExecutionContext } from '@nestjs/common'
 export const Cookies = createParamDecorator(
  (data: string, ctx: ExecutionContext) => {
    const request = ctx.switchToHttp().getRequest()
    return data ? request.cookies?.[data] : request.cookies
  },
 )
--- a/src/main.ts
+++ b/src/main.ts
@ -3,6 +3,7 @@ import { ValidationPipe } from '@nestjs/common'
 import { ConfigService } from '@nestjs/config'
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger'
 import { PrismaClientExceptionFilter, PrismaService } from 'nestjs-prisma'
 import * as CookieParser from 'cookie-parser'
 import { JwtExceptionsFilter } from './common/filters/jwt-exceptions.filter'
 import { AppModule } from './app.module'
@ -21,9 +22,13 @@ async function bootstrap() {
  app.useGlobalFilters(new PrismaClientExceptionFilter(httpAdapter))
  app.useGlobalFilters(new JwtExceptionsFilter(httpAdapter))
  // CookieParser
  app.use(CookieParser())
  // Swagger Api
  const options = new DocumentBuilder()
    .addBearerAuth()
    .addCookieAuth('refreshToken')
    .setTitle('Nest Project')
    .setDescription('The Nest-Project API description')
    .setVersion('1.0')
--- a/src/users/dto/token.dto.ts
+++ b/src/users/dto/token.dto.ts
@ -1,6 +1,5 @@
 import '@nestjs/mapped-types'
 import { ApiProperty } from '@nestjs/swagger'
 import { IsString } from 'class-validator'
 export class Token {
  @ApiProperty()
@ -9,11 +8,6 @@ export class Token {
  refreshToken: string
 }
 export class TokenRefreshPayload {
  @IsString()
  refreshToken: string
 }
 export class TokenPayload {
  userId: string
 }
--- a/src/users/me.controller.ts
+++ b/src/users/me.controller.ts
@ -5,10 +5,14 @@ import {
  Patch,
  Put,
  Body,
  Res,
  UseInterceptors,
  BadRequestException,
  Query,
  UnauthorizedException,
 } from '@nestjs/common'
 import type { Response } from 'express'
 import { Cookies } from 'src/common/decorators/cookies.decorator'
 import { MeService } from './me.service'
 import { ApiTags, ApiOperation, ApiUnauthorizedResponse } from '@nestjs/swagger'
 import { User } from 'src/common/decorators/user.decorator'
@ -19,7 +23,6 @@ import { UserEntity } from './entities/user.entity'
 import { DeleteUserDto } from './dto/delete-user.dto'
 import { ChangePassword } from './dto/change-password.dto'
 import { UpdateUserDto } from './dto/update-user.dto'
 import { TokenRefreshPayload } from './dto/token.dto'
 import { ChangeEmailDto } from './dto/change-email.dto'
@Controller('api/users/me')
@ -93,7 +96,18 @@ export class MeController {
  @Put('token')
  @ApiOperation({ summary: '刷新token' })
  @ApiUnauthorizedResponse({ description: 'Unauthorized' })
-  async updateAccessToken(@Body() payload: TokenRefreshPayload) {
+  async updateAccessToken(
-    return this.meService.updateAccessToken(payload.refreshToken)
+    @Res({ passthrough: true }) res: Response,
    @Cookies('refreshToken') refreshToken: string,
  ) {
    if (!refreshToken) {
      throw new UnauthorizedException('no refresh token')
    }
    try {
      return this.meService.updateAccessToken(refreshToken)
    } catch (err) {
      res.clearCookie('refreshToken')
      throw err
    }
  }
 }
--- a/src/users/me.service.ts
+++ b/src/users/me.service.ts
@ -77,17 +77,13 @@ export class MeService {
    if (iat * 1000 < user.updatedAt.getTime()) {
      throw new UnauthorizedException('token失效，请重新登录')
    }
-    return {
+    return this.jwtService.sign(
-      userId,
+      { userId },
-      refreshToken: refreshToken,
+      {
-      accessToken: this.jwtService.sign(
+        secret: this.secureConfig.jwt_access_secret,
-        { userId },
+        expiresIn: this.secureConfig.refreshIn,
-        {
+      },
-          secret: this.secureConfig.jwt_refresh_secret,
+    )
          expiresIn: this.secureConfig.refreshIn,
        },
      ),
    }
  }
  private async checkPassword(pwd: string, hashPwd: string) {
--- a/src/users/users.controller.ts
+++ b/src/users/users.controller.ts
@ -1,31 +1,64 @@
-import { Controller, Post, Patch, Body, Param } from '@nestjs/common'
+import { Controller, Inject, Post, Patch, Body, Res } from '@nestjs/common'
 import type { Response, CookieOptions } from 'express'
 import { UsersService } from './users.service'
 import { ApiTags, ApiOperation } from '@nestjs/swagger'
 import { CreateUserDto } from './dto/create-user.dto'
 import { LoginInputDto } from './dto/login-input.dto'
 import { ResetPassword } from './dto/reset-password.dto'
 import { securityConfig, SecurityConfig } from 'src/common/configs'
@Controller('api/users')
@ApiTags('Users')
 export class UsersController {
-  constructor(private readonly usersService: UsersService) {}
+  private refreshTokenCookieConfig: CookieOptions = {
    path: '/api/users/me/token',
    secure: true,
    maxAge: this.secureConfig.refreshIn / 1000,
    httpOnly: true,
    sameSite: 'lax',
  }
  constructor(
    private readonly usersService: UsersService,
    @Inject(securityConfig.KEY) private secureConfig: SecurityConfig,
  ) {}
  @Post()
  @ApiOperation({ summary: '邮箱注册' })
-  async registerByEmail(@Body() userData: CreateUserDto) {
+  async registerByEmail(
-    return this.usersService.registerByEmail(userData)
+    @Body() userData: CreateUserDto,
    @Res({ passthrough: true }) res: Response,
  ) {
    const { refreshToken, accessToken } =
      await this.usersService.registerByEmail(userData)
    res.cookie('refreshToken', refreshToken, this.refreshTokenCookieConfig)
    return accessToken
  }
  // TODO: 限制调用频率，避免暴力破解
  @Post('token')
  @ApiOperation({ summary: '邮箱登录' })
-  async loginByEmail(@Body() user: LoginInputDto) {
+  async loginByEmail(
-    return this.usersService.loginByEmail(user.email, user.password)
+    @Body() user: LoginInputDto,
    @Res({ passthrough: true }) res: Response,
  ) {
    const { refreshToken, accessToken } = await this.usersService.loginByEmail(
      user.email,
      user.password,
    )
    res.cookie('refreshToken', refreshToken, this.refreshTokenCookieConfig)
    return accessToken
  }
  @Patch('password')
  @ApiOperation({ summary: '找回密码' })
-  async forgetPassword(@Body() payload: ResetPassword) {
+  async forgetPassword(
-    return this.usersService.resetPasswordByEmail(payload)
+    @Body() payload: ResetPassword,
    @Res({ passthrough: true }) res: Response,
  ) {
    const { refreshToken, accessToken } =
      await this.usersService.resetPasswordByEmail(payload)
    res.cookie('refreshToken', refreshToken, this.refreshTokenCookieConfig)
    return accessToken
  }
 }