diff --git a/server/core/auth.js b/server/core/auth.js index ecb85726..5cafc109 100644 --- a/server/core/auth.js +++ b/server/core/auth.js @@ -115,27 +115,30 @@ module.exports = { let mustRevalidate = false // Expired but still valid within N days, just renew - if (info instanceof Error && info.name === 'TokenExpiredError' && DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) < DateTime.fromSeconds(info.expiredAt)) { + if (info instanceof Error && info.name === 'TokenExpiredError' && DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) < DateTime.fromISO(info.expiredAt)) { mustRevalidate = true } // Check if user / group is in revokation list - if (user) { + if (user && !mustRevalidate) { const uRevalidate = WIKI.auth.revokationList.get(`u${_.toString(user.id)}`) if (uRevalidate && user.iat < uRevalidate) { mustRevalidate = true - } - for (const gid of user.groups) { - const gRevalidate = WIKI.auth.revokationList.get(`g${_.toString(gid)}`) - if (gRevalidate && user.iat < gRevalidate) { - mustRevalidate = true + } else if (DateTime.fromSeconds(user.iat) <= WIKI.startedAt) { // Prevent new / restarted instance from allowing revoked tokens + mustRevalidate = true + } else { + for (const gid of user.groups) { + const gRevalidate = WIKI.auth.revokationList.get(`g${_.toString(gid)}`) + if (gRevalidate && user.iat < gRevalidate) { + mustRevalidate = true + break + } } } } // Revalidate and renew token if (mustRevalidate) { - console.info('MUST REVALIDATE') const jwtPayload = jwt.decode(securityHelper.extractJWT(req)) try { const newToken = await WIKI.models.users.refreshToken(jwtPayload.id) diff --git a/server/index.js b/server/index.js index 939abf63..254335c9 100644 --- a/server/index.js +++ b/server/index.js @@ -5,6 +5,7 @@ const path = require('path') const { nanoid } = require('nanoid') +const { DateTime } = require('luxon') let WIKI = { IS_DEBUG: process.env.NODE_ENV === 'development', @@ -14,7 +15,8 @@ let WIKI = { SERVERPATH: path.join(process.cwd(), 'server'), Error: require('./helpers/error'), configSvc: require('./core/config'), - kernel: require('./core/kernel') + kernel: require('./core/kernel'), + startedAt: DateTime.utc() } global.WIKI = WIKI