Add: 10 second grace period to access token cycle

server/auth/TokenManager.js

@@ -12,9 +12,9 @@ class TokenManager {
 
   constructor() {
     /** @type {number} Refresh token expiry in seconds */
-    this.RefreshTokenExpiry = parseInt(process.env.REFRESH_TOKEN_EXPIRY) || 30 * 24 * 60 * 60 // 30 days
+    this.RefreshTokenExpiry = parseInt(process.env.REFRESH_TOKEN_EXPIRY) || 3 // 3 seconds for testing
     /** @type {number} Access token expiry in seconds */
-    this.AccessTokenExpiry = parseInt(process.env.ACCESS_TOKEN_EXPIRY) || 1 * 60 * 60 // 1 hour
+    this.AccessTokenExpiry = parseInt(process.env.ACCESS_TOKEN_EXPIRY) || 60 // 60 seconds for testing
 
     if (parseInt(process.env.REFRESH_TOKEN_EXPIRY) > 0) {
       Logger.info(`[TokenManager] Refresh token expiry set from ENV variable to ${this.RefreshTokenExpiry} seconds`)
@@ -193,6 +193,11 @@ class TokenManager {
     // Calculate new expiration time
     const newExpiresAt = new Date(Date.now() + this.RefreshTokenExpiry * 1000)
 
+    // Set grace period of old refresh token in case of race condition in token rotation.
+    // This grace period may need to be longer if fetching the user data takes longer due to large progress objects
+    session.lastRefreshToken = session.refreshToken
+    session.lastRefreshTokenExpiresAt = new Date(Date.now() + 10 * 1000) // 10 seconds grace period
+
     // Update the session with the new refresh token and expiration
     session.refreshToken = newRefreshToken
     session.expiresAt = newExpiresAt
@@ -287,8 +292,10 @@ class TokenManager {
         }
       }
 
-      const session = await Database.sessionModel.findOne({
-        where: { refreshToken: refreshToken }
+      let session = await Database.sessionModel.findOne({
+        where: {
+          [Op.or]: [{ refreshToken: refreshToken }, { lastRefreshToken: refreshToken }]
+        }
       })
 
       if (!session) {
@@ -298,12 +305,27 @@ class TokenManager {
         }
       }
 
-      // Check if session is expired in database
-      if (session.expiresAt < new Date()) {
-        Logger.info(`[TokenManager] Session expired in database, cleaning up`)
-        await session.destroy()
-        return {
-          error: 'Refresh token expired'
+      let isGracePeriod = false
+      if (session.refreshToken !== refreshToken) {
+        // Token matched lastRefreshToken
+        if (session.lastRefreshTokenExpiresAt && session.lastRefreshTokenExpiresAt > new Date()) {
+          isGracePeriod = true
+          Logger.debug(`[TokenManager] Grace period hit for user ${session.userId}`)
+        } else {
+          Logger.debug(`[TokenManager] Grace period expired for user ${session.userId}`)
+          return {
+            error: 'Invalid refresh token'
+          }
+        }
+      } else {
+        // Token matched current refreshToken
+        // Check if session is expired in database
+        if (session.expiresAt < new Date()) {
+          Logger.info(`[TokenManager] Session expired in database, cleaning up`)
+          await session.destroy()
+          return {
+            error: 'Refresh token expired'
+          }
         }
       }
 
@@ -315,6 +337,20 @@ class TokenManager {
         }
       }
 
+      if (isGracePeriod) {
+        // Return the already rotated refresh token store in the database,
+        // and generate a new access token without changing the refresh token
+        // again
+        const accessToken = this.generateTempAccessToken(user)
+        this.setRefreshTokenCookie(req, res, session.refreshToken)
+
+        return {
+          accessToken,
+          refreshToken: session.refreshToken,
+          user
+        }
+      }
+
       const newTokens = await this.rotateTokensForSession(session, user, req, res)
       return {
         accessToken: newTokens.accessToken,

server/migrations/v2.33.0-add-last-refresh-token.js

@@ -0,0 +1,84 @@
+/**
+ * @typedef MigrationContext
+ * @property {import('sequelize').QueryInterface} queryInterface - a Sequelize QueryInterface object.
+ * @property {import('../Logger')} logger - a Logger object.
+ *
+ * @typedef MigrationOptions
+ * @property {MigrationContext} context - an object containing the migration context.
+ */
+
+const migrationVersion = '2.33.0'
+const migrationName = `${migrationVersion}-add-last-refresh-token`
+const loggerPrefix = `[${migrationVersion} migration]`
+
+/**
+ * This migration script adds lastRefreshToken and lastRefreshTokenExpiresAt columns to the sessions table.
+ *
+ * @param {MigrationOptions} options - an object containing the migration context.
+ * @returns {Promise<void>} - A promise that resolves when the migration is complete.
+ */
+async function up({ context: { queryInterface, logger } }) {
+  logger.info(`${loggerPrefix} UPGRADE BEGIN: ${migrationName}`)
+
+  if (await queryInterface.tableExists('sessions')) {
+    const tableDescription = await queryInterface.describeTable('sessions')
+
+    if (!tableDescription.lastRefreshToken) {
+      logger.info(`${loggerPrefix} Adding lastRefreshToken column to sessions table`)
+      await queryInterface.addColumn('sessions', 'lastRefreshToken', {
+        type: queryInterface.sequelize.Sequelize.DataTypes.STRING,
+        allowNull: true
+      })
+    } else {
+      logger.info(`${loggerPrefix} lastRefreshToken column already exists in sessions table`)
+    }
+
+    if (!tableDescription.lastRefreshTokenExpiresAt) {
+      logger.info(`${loggerPrefix} Adding lastRefreshTokenExpiresAt column to sessions table`)
+      await queryInterface.addColumn('sessions', 'lastRefreshTokenExpiresAt', {
+        type: queryInterface.sequelize.Sequelize.DataTypes.DATE,
+        allowNull: true
+      })
+    } else {
+      logger.info(`${loggerPrefix} lastRefreshTokenExpiresAt column already exists in sessions table`)
+    }
+  } else {
+    logger.info(`${loggerPrefix} sessions table does not exist`)
+  }
+
+  logger.info(`${loggerPrefix} UPGRADE END: ${migrationName}`)
+}
+
+/**
+ * This migration script removes the lastRefreshToken and lastRefreshTokenExpiresAt columns from the sessions table.
+ *
+ * @param {MigrationOptions} options - an object containing the migration context.
+ * @returns {Promise<void>} - A promise that resolves when the migration is complete.
+ */
+async function down({ context: { queryInterface, logger } }) {
+  logger.info(`${loggerPrefix} DOWNGRADE BEGIN: ${migrationName}`)
+
+  if (await queryInterface.tableExists('sessions')) {
+    const tableDescription = await queryInterface.describeTable('sessions')
+
+    if (tableDescription.lastRefreshToken) {
+      logger.info(`${loggerPrefix} Removing lastRefreshToken column from sessions table`)
+      await queryInterface.removeColumn('sessions', 'lastRefreshToken')
+    } else {
+      logger.info(`${loggerPrefix} lastRefreshToken column does not exist in sessions table`)
+    }
+
+    if (tableDescription.lastRefreshTokenExpiresAt) {
+      logger.info(`${loggerPrefix} Removing lastRefreshTokenExpiresAt column from sessions table`)
+      await queryInterface.removeColumn('sessions', 'lastRefreshTokenExpiresAt')
+    } else {
+      logger.info(`${loggerPrefix} lastRefreshTokenExpiresAt column does not exist in sessions table`)
+    }
+  } else {
+    logger.info(`${loggerPrefix} sessions table does not exist`)
+  }
+
+  logger.info(`${loggerPrefix} DOWNGRADE END: ${migrationName}`)
+}
+
+module.exports = { up, down }

server/models/Session.js

@@ -18,6 +18,10 @@ class Session extends Model {
     this.userId
     /** @type {Date} */
     this.expiresAt
+    /** @type {string} */
+    this.lastRefreshToken
+    /** @type {Date} */
+    this.lastRefreshTokenExpiresAt
 
     // Expanded properties
 
@@ -66,6 +70,14 @@ class Session extends Model {
         expiresAt: {
           type: DataTypes.DATE,
           allowNull: false
+        },
+        lastRefreshToken: {
+          type: DataTypes.STRING,
+          allowNull: true
+        },
+        lastRefreshTokenExpiresAt: {
+          type: DataTypes.DATE,
+          allowNull: true
         }
       },
       {