The latest articles on DEV Community by Álvaro Veiga (@alvaromrveiga). https://dev.to/alvaromrveiga https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F871685%2Fa54b8bf0-e6da-4e84-8334-e03cfd078de9.jpg https://dev.to/alvaromrveiga en Álvaro Veiga Tue, 07 Jun 2022 18:47:20 +0000 https://dev.to/alvaromrveiga/implement-refresh-token-automatic-reuse-detection-without-cluttering-your-database-lb https://dev.to/alvaromrveiga/implement-refresh-token-automatic-reuse-detection-without-cluttering-your-database-lb <p>While studying how to implement refresh tokens rotation in a <a href="https://nodejs.org">Node.js</a> <a href="https://github.com/alvaromrveiga/ecommerce-backend">project</a> I came into this blog post from Auth0: <a href="https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/">What Are Refresh Tokens and How to Use Them Securely</a>. In the section where they explain about Refresh Token Automatic Reuse Detection it is said:</p> <blockquote> <p>The 🚓 Auth0 Authorization Server has been keeping track of all the refresh tokens descending from the original refresh token. That is, it has created a "token family".<br> <a href="https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#Refresh-Token-Automatic-Reuse-Detection">Refresh Token Automatic Reuse Detection section</a></p> </blockquote> <p>But if the tokens are never compromised and the application is used regularly by many users that would mean lots of inactive refreshed tokens cluttering the database before expiration.</p> <h2> A Solution </h2> <p>You can add a family property in your refresh tokens model in the database, this is my model using <a href="https://www.prisma.io/">Prisma ORM</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">model</span> <span class="nx">UserTokens</span> <span class="p">{</span> <span class="nx">id</span> <span class="nb">String</span> <span class="p">@</span><span class="nd">id</span> <span class="p">@</span><span class="nd">default</span><span class="p">(</span><span class="nx">uuid</span><span class="p">())</span> <span class="nx">user</span> <span class="nx">User</span> <span class="p">@</span><span class="nd">relation</span><span class="p">(</span><span class="nx">fields</span><span class="p">:</span> <span class="p">[</span><span class="nx">userId</span><span class="p">],</span> <span class="nx">references</span><span class="p">:</span> <span class="p">[</span><span class="nx">id</span><span class="p">],</span> <span class="nx">onDelete</span><span class="p">:</span> <span class="nx">Cascade</span><span class="p">)</span> <span class="nx">userId</span> <span class="nb">String</span> <span class="nx">refreshToken</span> <span class="nb">String</span> <span class="nx">family</span> <span class="nb">String</span> <span class="p">@</span><span class="nd">unique</span> <span class="nx">browserInfo</span> <span class="nb">String</span><span class="p">?</span> <span class="c1">// Show the user logged devices </span> <span class="nx">expiresAt</span> <span class="nx">DateTime</span> <span class="nx">createdAt</span> <span class="nx">DateTime</span> <span class="p">@</span><span class="nd">default</span><span class="p">(</span><span class="nx">now</span><span class="p">())</span> <span class="p">}</span> </code></pre> </div> <p>The family receives a v4 UUID when the user logs in and a brand new refresh token is created. <br> The tokenFamily is added to the refresh token payload for future refreshes:</p> <p>In the following code snippets I'm using <a href="https://nestjs.com/">NestJS framework</a> and <a href="https://www.typescriptlang.org/">TypeScript</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="cm">/** Creates the refresh token and saves it in the database */</span> <span class="k">private</span> <span class="k">async</span> <span class="nx">createRefreshToken</span><span class="p">(</span> <span class="nx">payload</span><span class="p">:</span> <span class="p">{</span> <span class="nl">sub</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">tokenFamily</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">},</span> <span class="nx">browserInfo</span><span class="p">?:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">payload</span><span class="p">.</span><span class="nx">tokenFamily</span><span class="p">)</span> <span class="p">{</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">tokenFamily</span> <span class="o">=</span> <span class="nx">uuidV4</span><span class="p">();</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">jwtService</span><span class="p">.</span><span class="nx">signAsync</span><span class="p">(</span> <span class="p">{</span> <span class="p">...</span><span class="nx">payload</span> <span class="p">},</span> <span class="nx">refreshJwtConfig</span><span class="p">,</span> <span class="p">);</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">saveRefreshToken</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">family</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">tokenFamily</span><span class="p">,</span> <span class="nx">browserInfo</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">refreshToken</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Now that we have our refreshToken created and stored we can use it to refresh the accessToken and rotate the current refreshToken. But first we need to validate it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="cm">/** Checks if the refresh token is valid */</span> <span class="k">private</span> <span class="k">async</span> <span class="nx">validateRefreshToken</span><span class="p">(</span> <span class="nx">refreshToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">refreshTokenContent</span><span class="p">:</span> <span class="nx">RefreshTokenPayload</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userTokens</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">prismaService</span><span class="p">.</span><span class="nx">userTokens</span><span class="p">.</span><span class="nx">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">refreshTokenContent</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">isRefreshTokenValid</span> <span class="o">=</span> <span class="nx">userTokens</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">isRefreshTokenValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">removeRefreshTokenFamilyIfCompromised</span><span class="p">(</span> <span class="nx">refreshTokenContent</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="nx">refreshTokenContent</span><span class="p">.</span><span class="nx">tokenFamily</span><span class="p">,</span> <span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">InvalidRefreshTokenException</span><span class="p">();</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** Removes a compromised refresh token family from the database * * If a token that is not in the database is used but it's family exists * that means the token has been compromised and the family should me removed * * Refer to https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation#automatic-reuse-detection */</span> <span class="k">private</span> <span class="k">async</span> <span class="nx">removeRefreshTokenFamilyIfCompromised</span><span class="p">(</span> <span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">tokenFamily</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">familyTokens</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">prismaService</span><span class="p">.</span><span class="nx">userTokens</span><span class="p">.</span><span class="nx">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">family</span><span class="p">:</span> <span class="nx">tokenFamily</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="nx">familyTokens</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">prismaService</span><span class="p">.</span><span class="nx">userTokens</span><span class="p">.</span><span class="nx">deleteMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">family</span><span class="p">:</span> <span class="nx">tokenFamily</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If the token is invalid but the family exists that means this is a token descending from the original refreshToken, so that family was compromised and should be removed.</p> <h2> Conclusion </h2> <p>To implement Refresh Token Rotation Automatic Reuse Detection without storing all refresh tokens descending from the original one you can create a tokenFamily property in your database model and check for unregistered descendants.<br> I did not go into full details on how I implemented the whole authentication process in this article, but if you want you can check the source code in the <a href="https://github.com/alvaromrveiga/ecommerce-backend">project's repository in GitHub</a></p> webdev tutorial node typescript