Add refresh-token endpoint

Author: pimterry

api/src/auth0.ts

@@ -89,6 +89,13 @@ export const loginWithPasswordlessCode = withRetries('loginPWL', async (email: s
     })).data
 );
 
+export const refreshToken = withRetries('refreshToken', async (refreshToken: string) =>
+    (await authClient.oauth.refreshTokenGrant({
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken
+    })).data
+)
+
 export type User = auth0.GetUsers200ResponseOneOfInner & {
     app_metadata: AppMetadata
 };

api/src/functions/auth/refresh-token.ts

@@ -0,0 +1,37 @@
+import { initSentry, catchErrors, StatusError } from '../../errors';
+initSentry();
+
+import { getCorsResponseHeaders } from '../../cors';
+import * as auth0 from '../../auth0';
+
+export const handler = catchErrors(async (event) => {
+    let headers = getCorsResponseHeaders(event);
+
+    if (event.httpMethod === 'OPTIONS') {
+        return { statusCode: 200, headers, body: '' };
+    } else if (event.httpMethod !== 'POST') {
+        return { statusCode: 405, headers, body: '' };
+    }
+
+    let refreshToken;
+    try {
+        ({ refreshToken } = JSON.parse(event.body!));
+    } catch (e) {
+        throw new StatusError(400, 'Invalid request body');
+    }
+
+    if (!refreshToken) throw new StatusError(400, 'Refresh token is required');
+
+    const result = await auth0.refreshToken(refreshToken);
+
+    return {
+        statusCode: 200,
+        headers: { ...headers,
+            'content-type': 'application/json'
+        },
+        body: JSON.stringify({
+            accessToken: result.access_token,
+            expiresAt: Date.now() + result.expires_in * 1000
+        })
+    };
+});

api/src/server.ts

@@ -95,6 +95,7 @@ apiRouter.get('/redirect-paypro-to-thank-you', lambdaWrapper('redirect-paypro-to
 
 apiRouter.post('/auth/send-code', lambdaWrapper('auth/send-code'));
 apiRouter.post('/auth/login', lambdaWrapper('auth/login'));
+apiRouter.post('/auth/refresh-token', lambdaWrapper('auth/refresh-token'));
 
 apiRouter.post('/update-team', lambdaWrapper('update-team'));
 apiRouter.post('/update-team-size', lambdaWrapper('update-team-size'));

api/test/auth.spec.ts

@@ -4,6 +4,14 @@ import { expect } from 'chai';
 import { DestroyableServer } from "destroyable-server";
 import { AUTH0_PORT, auth0Server, startServer } from "./test-util";
 
+const TOKEN_RESPONSE = {
+    "access_token": "at",
+    "refresh_token": "rt",
+    "scope": "openid email offline_access",
+    "expires_in": 86400,
+    "token_type": "Bearer"
+};
+
 describe("API auth endpoints", () => {
 
     let apiServer: DestroyableServer;
@@ -73,13 +81,7 @@ describe("API auth endpoints", () => {
     describe("/auth/login", () => {
 
         it("returns a 400 if you don't provide a body", async () => {
-            const tokenEndpoint = await auth0Server.forPost('/oauth/token').thenJson(200, {
-                "access_token": "at",
-                "refresh_token": "rt",
-                "scope": "openid email offline_access",
-                "expires_in": 86400,
-                "token_type": "Bearer"
-            });
+            const tokenEndpoint = await auth0Server.forPost('/oauth/token').thenJson(200, TOKEN_RESPONSE);
 
             const response = await fetch(`${apiAddress}/api/auth/login`, {
                 method: 'POST'
@@ -114,13 +116,7 @@ describe("API auth endpoints", () => {
                     scope: 'openid email offline_access app_metadata',
                     grant_type: 'http://auth0.com/oauth/grant-type/passwordless/otp'
                 })
-                .thenJson(200, {
-                    "access_token": "at",
-                    "refresh_token": "rt",
-                    "scope": "openid email offline_access",
-                    "expires_in": 86400,
-                    "token_type": "Bearer"
-                });
+                .thenJson(200, TOKEN_RESPONSE);
 
             const response = await fetch(`${apiAddress}/api/auth/login`, {
                 method: 'POST',
@@ -140,4 +136,55 @@ describe("API auth endpoints", () => {
 
     });
 
+    describe("/auth/refresh-token", () => {
+
+        it("returns a 400 if you don't provide a body", async () => {
+            const tokenEndpoint = await auth0Server.forPost('/oauth/token').thenJson(200, TOKEN_RESPONSE);
+
+            const response = await fetch(`${apiAddress}/api/auth/refresh-token`, {
+                method: 'POST'
+            });
+
+            expect(response.status).to.equal(400);
+            expect(await tokenEndpoint.getSeenRequests()).to.have.length(0);
+        });
+
+        it("returns a 400 if you don't provide a refreshToken", async () => {
+            const tokenEndpoint = await auth0Server.forPost('/oauth/token').thenReply(200);
+
+            const response = await fetch(`${apiAddress}/api/auth/refresh-token`, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ })
+            });
+
+            expect(response.status).to.equal(400);
+            expect(await tokenEndpoint.getSeenRequests()).to.have.length(0);
+        });
+
+        it("sends a request to Auth0 to refresh the token", async () => {
+            const refreshToken = 'rt';
+            const tokenEndpoint = await auth0Server.forPost('/oauth/token')
+                .withForm({
+                    refresh_token: refreshToken,
+                    grant_type: 'refresh_token'
+                })
+                .thenJson(200, TOKEN_RESPONSE);
+
+            const response = await fetch(`${apiAddress}/api/auth/refresh-token`, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ refreshToken })
+            });
+
+            expect(response.status).to.equal(200);
+            expect(await tokenEndpoint.getSeenRequests()).to.have.length(1);
+
+            const result = await response.json();
+            expect(result.accessToken).to.equal('at');
+            expect(result.expiresAt).to.be.greaterThan(Date.now());
+            expect(result.expiresAt).to.be.lessThan(Date.now() + 100_000_000);
+        });
+    });
+
 });