Auth Middleware does not distinguish type of JWT Token

[ulrichelias]

I am new to Express/NodeJS, so please let me know if I am understanding this incorrectly.

This boilerplate uses 3 different types of JWTs namely Access Tokens, Refresh Tokens and Reset Password Token.

All types of tokens are created with the same content and structure.
const generateToken = (userId, expires, secret = config.jwt.secret) => { const payload = { sub: userId, iat: moment().unix(), exp: expires.unix(), }; return jwt.sign(payload, secret); };

Also the auth middleware does not differenciate between the different types:

`const verifyCallback = (req, resolve, reject, requiredRights) => async (
err,
user,
info
) => {
if (err || info || !user) {
return reject(new ApiError(httpStatus.UNAUTHORIZED, 'Please authenticate'));
}
req.user = user;

if (requiredRights.length) {
const userRights = roleRights.get(user.role);
const hasRequiredRights = requiredRights.every((requiredRight) =>
userRights.includes(requiredRight)
);

if (!hasRequiredRights && req.params.userId !== user.id) {
  return reject(new ApiError(httpStatus.FORBIDDEN, 'Forbidden'));
}

}

resolve();
};

const auth = (...requiredRights) => async (req, res, next) => {
return new Promise((resolve, reject) => {
passport.authenticate(
'jwt',
{ session: false },
verifyCallback(req, resolve, reject, requiredRights)
)(req, res, next);
})
.then(() => next())
.catch((err) => next(err));
};

module.exports = auth;`

This leads to all kinds of tokens being valid access tokens.

I am not sure if this is even a problem for security or if it is the intended behavior. It still seems odd to me.
Let me know if I am missing anything.

[hagopj13]

@ulrichelias thanks for the note and you're right. I just added a fix for that.