Preserve old refresh token if new token does not contain refresh token (#434)

Uzlopak · web-flow · commit 176ef7b8fd7a · 2024-06-29T18:01:51.000-06:00
diff --git a/lib/access-token.js b/lib/access-token.js
@@ -48,6 +48,9 @@ module.exports = class AccessToken {
     const parameters = GrantTypeParams.forGrantType(REFRESH_TOKEN_PROPERTY_NAME, this.#config.options, refreshParams);
     const response = await this.#client.request(this.#config.auth.refreshPath, parameters.toObject(), httpOptions);
 
+    if (response[REFRESH_TOKEN_PROPERTY_NAME] === undefined) {
+      response.refresh_token = this.refresh_token;
+    }
     return new AccessToken(this.#config, this.#client, response);
   }
 
diff --git a/test/_authorization-server-mock.js b/test/_authorization-server-mock.js
@@ -88,6 +88,14 @@ function createAuthorizationServer(authorizationServerUrl) {
       });
   }
 
+  function tokenSuccessWithoutRefreshToken(scopeOptions, params) {
+    return nock(authorizationServerUrl, scopeOptions)
+      .post('/oauth/token', params)
+      .reply(200, { ...accessToken, refresh_token: undefined }, {
+        'Content-Type': 'application/json',
+      });
+  }
+
   return {
     tokenError,
     tokenAuthorizationError,
@@ -98,6 +106,7 @@ function createAuthorizationServer(authorizationServerUrl) {
     tokenSuccessWithNonJSONContent,
     tokenSuccessWithCustomPath,
     tokenSuccess,
+    tokenSuccessWithoutRefreshToken,
   };
 }
 
diff --git a/test/access-token-refresh.js b/test/access-token-refresh.js
@@ -271,3 +271,27 @@ test.serial('@refresh => creates a new access token with custom (inline) http op
   scope.done();
   t.true(has(refreshAccessToken.token, 'access_token'));
 });
+
+test.serial('@refresh => creates a new access token with keeping the old refresh token if refresh did not provide a new refresh token', async (t) => {
+  const config = createModuleConfig();
+
+  const accessTokenResponse = chance.accessToken({
+    expireMode: 'expires_in',
+  });
+
+  const client = new Client(config);
+
+  const refreshParams = {
+    grant_type: 'refresh_token',
+    refresh_token: accessTokenResponse.refresh_token,
+  };
+
+  const server = createAuthorizationServer('https://authorization-server.org:443');
+  const scope = server.tokenSuccessWithoutRefreshToken(scopeOptions, refreshParams);
+
+  const accessToken = new AccessToken(config, client, accessTokenResponse);
+  const refreshAccessToken = await accessToken.refresh();
+
+  scope.done();
+  t.true(has(refreshAccessToken.token, 'refresh_token'));
+});

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,9 @@ module.exports = class AccessToken {`
`48`	`48`	`const parameters = GrantTypeParams.forGrantType(REFRESH_TOKEN_PROPERTY_NAME, this.#config.options, refreshParams);`
`49`	`49`	`const response = await this.#client.request(this.#config.auth.refreshPath, parameters.toObject(), httpOptions);`
`50`	`50`
	`51`	`+ if (response[REFRESH_TOKEN_PROPERTY_NAME] === undefined) {`
	`52`	`+ response.refresh_token = this.refresh_token;`
	`53`	`+ }`
`51`	`54`	`return new AccessToken(this.#config, this.#client, response);`
`52`	`55`	`}`
`53`	`56`