diff --git a/packages/payload/src/auth/operations/refresh.ts b/packages/payload/src/auth/operations/refresh.ts index 969fa57e15a..7889ebc1b3a 100644 --- a/packages/payload/src/auth/operations/refresh.ts +++ b/packages/payload/src/auth/operations/refresh.ts @@ -1,5 +1,4 @@ import url from 'url' -import { v4 as uuid } from 'uuid' import type { Collection } from '../../collections/config/types.js' import type { Document, PayloadRequest } from '../../types/index.js' @@ -74,11 +73,10 @@ export const refreshOperation = async (incomingArgs: Arguments): Promise const parsedURL = url.parse(args.req.url!) const isGraphQL = parsedURL.pathname === config.routes.graphQL - const user = await args.req.payload.findByID({ - id: args.req.user.id, - collection: args.req.user.collection, - depth: isGraphQL ? 0 : args.collection.config.auth.depth, - req: args.req, + let user = await req.payload.db.findOne({ + collection: collectionConfig.slug, + req, + where: { id: { equals: args.req.user.id } }, }) const sid = args.req.user._sid @@ -88,7 +86,7 @@ export const refreshOperation = async (incomingArgs: Arguments): Promise throw new Forbidden(args.req.t) } - const existingSession = user.sessions.find(({ id }) => id === sid) + const existingSession = user.sessions.find(({ id }: { id: number }) => id === sid) const now = new Date() const tokenExpInMs = collectionConfig.auth.tokenExpiration * 1000 @@ -106,6 +104,13 @@ export const refreshOperation = async (incomingArgs: Arguments): Promise }) } + user = await req.payload.findByID({ + id: user.id, + collection: collectionConfig.slug, + depth: isGraphQL ? 0 : args.collection.config.auth.depth, + req: args.req, + }) + if (user) { user.collection = args.req.user.collection user._strategy = args.req.user._strategy diff --git a/test/auth/int.spec.ts b/test/auth/int.spec.ts index 29a7d92581e..6a89df60047 100644 --- a/test/auth/int.spec.ts +++ b/test/auth/int.spec.ts @@ -262,6 +262,42 @@ describe('Auth', () => { expect(data.user.custom).toBe('Goodbye, world!') }) + it('keeps apiKey encrypted in DB after refresh operation', async () => { + const apiKey = '987e6543-e21b-12d3-a456-426614174999' + const user = await payload.create({ + collection: slug, + data: { email: 'user@example.com', password: 'Password123', apiKey, enableAPIKey: true }, + }) + const { token } = await payload.login({ + collection: 'users', + data: { email: 'user@example.com', password: 'Password123' }, + }) + await restClient.POST('/users/refresh-token', { + headers: { Authorization: `JWT ${token}` }, + }) + const raw = await payload.db.findOne({ + collection: 'users', + req: { locale: 'en' } as any, + where: { id: { equals: user.id } }, + }) + expect(raw?.apiKey).not.toContain('-') // still ciphertext + }) + + it('returns a user with decrypted apiKey after refresh', async () => { + const { token } = await payload.login({ + collection: 'users', + data: { email: 'user@example.com', password: 'Password123' }, + }) + + const res = await restClient + .POST('/users/refresh-token', { + headers: { Authorization: `JWT ${token}` }, + }) + .then((r) => r.json()) + + expect(res.user.apiKey).toMatch(/[0-9a-f-]{36}/) // UUID string + }) + it('should allow a user to be created', async () => { const response = await restClient.POST(`/${slug}`, { body: JSON.stringify({