nestjs · dinuka-rp · Sep 22, 2020 · Sep 22, 2020 · adamwdennis · Mar 22, 2022
diff --git a/content/techniques/authentication.md b/content/techniques/authentication.md
@@ -262,7 +262,7 @@ export class LocalStrategy extends PassportStrategy(Strategy) {
 
 We've followed the recipe described earlier for all Passport strategies. In our use case with passport-local, there are no configuration options, so our constructor simply calls `super()`, without an options object.
 
-> info **Hint** We can pass an options object in the call to `super()` to customize the behavior of the passport strategy. In this example, the passport-local strategy by default expects properties called `username` and `password` in the request body.  Pass an options object to specify different property names, for example: `super({{ '{' }} usernameField: 'email' {{ '}' }})`.  See the [Passport documentation](http://www.passportjs.org/docs/configure/) for more information.
+> info **Hint** We can pass an options object in the call to `super()` to customize the behavior of the passport strategy. In this example, the passport-local strategy by default expects properties called `username` and `password` in the request body. Pass an options object to specify different property names, for example: `super({{ '{' }} usernameField: 'email' {{ '}' }})`. See the [Passport documentation](http://www.passportjs.org/docs/configure/) for more information.
 
 We've also implemented the `validate()` method. For each strategy, Passport will call the verify function (implemented with the `validate()` method in `@nestjs/passport`) using an appropriate strategy-specific set of parameters. For the local-strategy, Passport expects a `validate()` method with the following signature: `validate(username: string, password:string): any`.
 
@@ -921,6 +921,159 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'myjwt')
 
 Then, you refer to this via a decorator like `@UseGuards(AuthGuard('myjwt'))`.
 
+#### Refresh-Token Functionality
+
+When the JWT strategy is in play, the token will expire within a short time frame and the user will have to re-enter authentication details to generate a new JWT. Instead, the user can be sent a refresh-token together with a JWT at the time of authentication. This refresh-token would preferably have a different secret and a longer expiration time.
+
+Since the refresh-token is generated at the same time as the JWT follwing a similar mechanism, it's convenint to keep this within the AuthModule.
-Since the refresh-token is generated at the same time as the JWT follwing a similar mechanism, it's convenint to keep this within the AuthModule.
+Since the refresh-token is generated at the same time as the JWT following a similar mechanism, it's convenient to keep this within the `AuthModule`.
-Since the refresh-token is generated at the same time as the JWT follwing a similar mechanism, it's convenint to keep this within the AuthModule.
+Since the refresh-token is generated at the same time as the JWT following a similar mechanism, it's convenient to keep this within the `AuthModule`.
+
+But, because the secret and signOptions which contains the expiration time are defined in AuthModule when registering the JwtModule, they will have to be overwritten.
+
+Update `constants.ts` in the `auth` folder to contain a new secret for refresh-token mechanism:
+
+```typescript
+@@filename(auth/constants)
+export const jwtConstants = {
+  secret: 'secretKey',
+  refreshSecret:'refreshSecretKey'
+};
+@@switch
+export const jwtConstants = {
+  secret: 'secretKey',
+  refreshSecret:'refreshSecretKey'
+};
+```
+
+Create a new JSON object called `options` and pass in the required values as follows:
+
+Then, pass this in as a second argument to `this.jwtService.sign()` function when generating the refresh-token in `auth.service.ts`.
+
+```typescript
+@@filename(auth/auth.service)
+import { Injectable } from '@nestjs/common';
+import { UsersService } from '../users/users.service';
+import { JwtService } from '@nestjs/jwt';
+import { jwtConstants } from './constants';
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private usersService: UsersService,
+    private jwtService: JwtService
+  ) {}
+
+  async validateUser(username: string, pass: string): Promise<any> {
+    const user = await this.usersService.findOne(username);
+    if (user && user.password === pass) {
+      const { password, ...result } = user;
+      return result;
+    }
+    return null;
+  }
+
+  async login(user: any) {
+    const payload = { username: user.username, sub: user.userId };
+    return {
+      access_token: this.jwtService.sign(payload),
+      refresh_token: await this.getRefreshToken(payload),
+    };
+  }
+
+  async getRefreshToken(payload: any): Promise<any> {
+    const options = { secret: jwtConstants.refreshSecret, expiresIn: '30d' };
+    return this.jwtService.sign(payload, options);
+  }
+}
+
+@@switch
+import { Injectable, Dependencies } from '@nestjs/common';
+import { UsersService } from '../users/users.service';
+import { JwtService } from '@nestjs/jwt';
+import { jwtConstants } from './constants';
+
+@Dependencies(UsersService, JwtService)
+@Injectable()
+export class AuthService {
+  constructor(usersService, jwtService) {
+    this.usersService = usersService;
+    this.jwtService = jwtService;
+  }
+
+  async validateUser(username, pass) {
+    const user = await this.usersService.findOne(username);
+    if (user && user.password === pass) {
+      const { password, ...result } = user;
+      return result;
+    }
+    return null;
+  }
+
+  async login(user) {
+    const payload = { username: user.username, sub: user.userId };
+    return {
+      access_token: this.jwtService.sign(payload),
+      refresh_token: await this.getRefreshToken(payload),
+    };
+  }
+
+  async getRefreshToken(payload){
+    const options = { secret: jwtConstants.refreshSecret, expiresIn: '30d' };
+    return this.jwtService.sign(payload, options);
+  }
+}
+```
+
+After this, in order to regenerate the tokens, the following method will be required to be implemented in `AuthService`:
+
+```typescript
+@@filename(auth/auth.service)
+ async regenerateTokens(refresh: any): Promise<any> {
+    const options = { secret: jwtConstants.refreshSecret };
+
+    if (await this.jwtService.verify(refresh.refreshToken, options)) {
+      // if the refreshToken is valid,
+
+      const oldSignedPayload: any = this.jwtService.decode(
+        refresh.refreshToken,
+      );
+      const newUnsignedPayload = {
+        sub: oldSignedPayload.sub,
+        username: oldSignedPayload.username,
+      };
+
+      return {
+        access_token: this.jwtService.sign(newUnsignedPayload),
+        refresh_token: await this.getRefreshToken(newUnsignedPayload),
+      };
+    }
+  }
+@@switch
+async regenerateTokens(refresh) {
+    const options = { secret: jwtConstants.refreshSecret };
+
+    if (await this.jwtService.verify(refresh.refreshToken, options)) {
+      // if the refreshToken is valid,
+
+      const oldSignedPayload = this.jwtService.decode(
+        refresh.refreshToken,
+      );
+      const newUnsignedPayload = {
+        sub: oldSignedPayload.sub,
+        username: oldSignedPayload.username,
+      };
+
+      return {
+        access_token: this.jwtService.sign(newUnsignedPayload),
+        refresh_token: await this.getRefreshToken(newUnsignedPayload),
+      };
+    }
+  }
+```
+Notice that here, the expiration time isn't included in `options` and that the oldSignedPayload is used to retrieve the usename & password (sub) for the token regeneration process.
+
+Extra steps of validation can be added to this by saving the refresh-token in a Database and checking if the refresh-token exists there when it's requested to be regenerated.
+
+
 #### GraphQL
 
 In order to use an AuthGuard with [GraphQL](https://docs.nestjs.com/graphql/quick-start), extend the built-in AuthGuard class and override the getRequest() method.