From e2f5762fe4c1a7bc135e10e0241ca994fc4d1302 Mon Sep 17 00:00:00 2001
From: Dinu B <32189942+dvinubius@users.noreply.github.com>
Date: Tue, 31 Jan 2023 01:02:40 +0200
Subject: [PATCH] [fix] handle token refresh after logout

After a logout, making a token refresh attempt without this change means the execution reach the auth service. That one will attempt to verify whether the RT from the headers and the RT hash in the DB match. But the RT hash from the DB was deleted on logout => 500 error
---
 src/auth/strategies/rt.strategy.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/auth/strategies/rt.strategy.ts b/src/auth/strategies/rt.strategy.ts
index f5d4311..7df897a 100644
--- a/src/auth/strategies/rt.strategy.ts
+++ b/src/auth/strategies/rt.strategy.ts
@@ -22,6 +22,11 @@ export class RtStrategy extends PassportStrategy(Strategy, 'jwt-refresh') {
       .trim();
 
     if (!refreshToken) throw new ForbiddenException('Refresh token malformed');
+    
+    if (!user.hashedRt) {
+      // if a logout has deleted the rt we should not be allowed to refresh it
+      return false;
+    }
 
     return {
       ...payload,