update

2026-03-16 14:41:08 +01:00
parent 5f329bb5c1
commit 215528a521
46 changed files with 462 additions and 251 deletions
--- a/backend/src/services/token.service.ts
+++ b/backend/src/services/token.service.ts
@@ -16,6 +16,7 @@ class TokenService {
          authentikSub: payload.authentikSub,
          groups: payload.groups ?? [],
          role: payload.role,
+          type: 'access',
        },
        environment.jwt.secret,
        {
@@ -39,7 +40,11 @@ class TokenService {
      const decoded = jwt.verify(
        token,
        environment.jwt.secret
-      ) as JwtPayload;
+      ) as JwtPayload & { type?: string };
+
+      if (decoded.type && decoded.type !== 'access') {
+        throw new Error('Invalid token type');
+      }

      logger.debug('JWT token verified', { userId: decoded.userId });
      return decoded;
@@ -66,6 +71,7 @@ class TokenService {
        {
          userId: payload.userId,
          email: payload.email,
+          type: 'refresh',
        },
        environment.jwt.secret,
        {
@@ -89,7 +95,11 @@ class TokenService {
      const decoded = jwt.verify(
        token,
        environment.jwt.secret
-      ) as RefreshTokenPayload;
+      ) as RefreshTokenPayload & { type?: string };
+
+      if (decoded.type && decoded.type !== 'refresh') {
+        throw new Error('Invalid token type');
+      }

      logger.debug('Refresh token verified', { userId: decoded.userId });
      return decoded;