|
|
@@ -7,16 +7,25 @@ module.exports = options => {
|
|
7
|
7
|
verifyOptions: {
|
|
8
|
8
|
algorithms: ['HS256'],
|
|
9
|
9
|
},
|
|
10
|
|
- // TODO: check the h object to see if the activeSessions is accessible from it
|
|
11
|
|
- // check useronlinestatus branch request.server.app
|
|
|
10
|
+ // NOTE: TASK 3 Not yet done, but this passes a hashedSessionToken
|
|
|
11
|
+ // through headers in failed attempt to never have raw JWT's in front end
|
|
|
12
|
+
|
|
12
|
13
|
// Always check rawAccessToken, if it fails, we check the session, if session
|
|
13
|
14
|
// is valid, then we reissue it
|
|
14
|
15
|
// if session is NOT valid, DELETE the session (and kick user back to login)
|
|
15
|
16
|
// TODO: set up cron job to occassionaly clean up activeSessions
|
|
16
|
17
|
validate: (decoded, request, h) => {
|
|
17
|
|
- const token = request.headers.authorization
|
|
|
18
|
+ // NOTE: this won't work as it immediately invalidates anything that isn't a raw jwt
|
|
|
19
|
+ const hashedSessionToken = request.headers.authorization
|
|
|
20
|
+ const sessionToken =
|
|
|
21
|
+ request.server.app.activeSessions[hashedSessionToken]
|
|
|
22
|
+ .sessionToken
|
|
|
23
|
+ console.log('sessionToken :=>', sessionToken)
|
|
18
|
24
|
try {
|
|
19
|
|
- const validatedJwt = JWT.verify(token, process.env.APP_SECRET)
|
|
|
25
|
+ const validatedJwt = JWT.verify(
|
|
|
26
|
+ sessionToken,
|
|
|
27
|
+ process.env.APP_SECRET,
|
|
|
28
|
+ )
|
|
20
|
29
|
return {
|
|
21
|
30
|
isValid: true,
|
|
22
|
31
|
credentials: validatedJwt.email,
|
tomit4
před 2 roky