ciphera-net/pulse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 15 Wiki Activity
Files
2d3388546f3cdba6d8835ba37356baf7686b92ac
pulse/app/api/auth/refresh/route.ts
Usman Baig 2d3388546f fix: pass CSRF token to switch-context call in refresh route 
The auth API requires CSRF tokens on POST requests. The switch-context
call was failing silently with 403, causing refreshed tokens to lack
org_id.
2026-03-13 11:29:45 +01:00

129 lines
4.5 KiB
TypeScript
Raw Blame History

import { cookies } from 'next/headers'
import { NextResponse } from 'next/server'
import { getCookieDomain } from '@/lib/utils/cookies'
const AUTH_API_URL = process.env.NEXT_PUBLIC_AUTH_API_URL || process.env.NEXT_PUBLIC_AUTH_URL || 'http://localhost:8081'
export async function POST() {
const cookieStore = await cookies()
const refreshToken = cookieStore.get('refresh_token')?.value
if (!refreshToken) {
return NextResponse.json({ error: 'No refresh token' }, { status: 401 })
}
// * Read org_id from existing access token (if still present) before refreshing
let previousOrgId: string | null = null
const existingToken = cookieStore.get('access_token')?.value
if (existingToken) {
try {
const payload = JSON.parse(Buffer.from(existingToken.split('.')[1], 'base64').toString())
previousOrgId = payload.org_id || null
} catch { /* token may be malformed, proceed without org */ }
}
try {
// * Step 1: Refresh the base token
const res = await fetch(`${AUTH_API_URL}/api/v1/auth/refresh`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ refresh_token: refreshToken }),
})
const cookieDomain = getCookieDomain()
if (!res.ok) {
// * If refresh fails, clear cookies
cookieStore.set('access_token', '', { maxAge: 0, path: '/', domain: cookieDomain })
cookieStore.set('refresh_token', '', { maxAge: 0, path: '/', domain: cookieDomain })
return NextResponse.json({ error: 'Refresh failed' }, { status: 401 })
}
const data = await res.json()
let finalAccessToken = data.access_token
// * Get CSRF token from Auth API refresh response (needed for switch-context call)
const csrfToken = res.headers.get('X-CSRF-Token')
// * Also check for CSRF token in the cookie store (browser may have sent it)
const csrfFromCookie = cookieStore.get('csrf_token')?.value
const csrfForRequests = csrfToken || csrfFromCookie || ''
// * Step 2: Restore organization context
// * The auth service's refresh endpoint returns a "base" token without org_id.
// * We need to call switch-context to get an org-scoped token so that
// * Pulse API requests don't fail with 403 after a mid-session refresh.
let orgId = previousOrgId
if (!orgId) {
// * No org_id from old token — look up user's organizations
try {
const orgsRes = await fetch(`${AUTH_API_URL}/api/v1/auth/organizations`, {
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${finalAccessToken}`,
},
})
if (orgsRes.ok) {
const orgsData = await orgsRes.json()
if (orgsData.organizations?.length > 0) {
orgId = orgsData.organizations[0].organization_id
}
}
} catch { /* proceed with base token */ }
}
if (orgId) {
try {
const switchRes = await fetch(`${AUTH_API_URL}/api/v1/auth/switch-context`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${finalAccessToken}`,
'X-CSRF-Token': csrfForRequests,
'Cookie': `csrf_token=${csrfForRequests}`,
},
body: JSON.stringify({ organization_id: orgId }),
})
if (switchRes.ok) {
const switchData = await switchRes.json()
finalAccessToken = switchData.access_token
}
} catch { /* proceed with base token */ }
}
cookieStore.set('access_token', finalAccessToken, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
domain: cookieDomain,
maxAge: 60 * 15
})
cookieStore.set('refresh_token', data.refresh_token, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
domain: cookieDomain,
maxAge: 60 * 60 * 24 * 30
})
// * Set/update CSRF token cookie (non-httpOnly, for JS access)
if (csrfToken) {
cookieStore.set('csrf_token', csrfToken, {
httpOnly: false, // * Must be readable by JS for CSRF protection
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
domain: cookieDomain,
maxAge: 60 * 60 * 24 * 30
})
}
return NextResponse.json({ success: true, access_token: finalAccessToken })
} catch (error) {
return NextResponse.json({ error: 'Internal error' }, { status: 500 })
}
}
Reference in New Issue View Git Blame Copy Permalink