add response interceptors for refreshTokens method

media-store/srv/user-service.js

@@ -2,8 +2,9 @@ const cds = require("@sap/cds");
 const jwt = require("jsonwebtoken");
 const bcrypt = require("bcryptjs");
 
-const { ACCESS_TOKEN_SECRET } = cds.env;
+const { ACCESS_TOKEN_SECRET, REFRESH_TOKEN_SECRET } = cds.env;
 const ACCESS_TOKEN_EXP_IN = "10m";
+const REFRESH_TOKEN_EXPIRES_IN = "20m";
 
 const comparePasswords = async (password, hashedPassword) => {
   return new Promise((resolve, reject) =>
@@ -17,10 +18,30 @@ const comparePasswords = async (password, hashedPassword) => {
   );
 };
 
+const createTokens = (email, ID, roles) => {
+  const accessToken = jwt.sign({ email, ID, roles }, ACCESS_TOKEN_SECRET, {
+    expiresIn: ACCESS_TOKEN_EXP_IN,
+  });
+  const refreshToken = jwt.sign({ email, ID, roles }, REFRESH_TOKEN_SECRET, {
+    expiresIn: REFRESH_TOKEN_EXPIRES_IN,
+  });
+  return [accessToken, refreshToken];
+};
+
 module.exports = async function () {
   const db = await cds.connect.to("db");
   const { Employees, Customers } = db.entities;
 
+  async function getUser(email) {
+    let userFromDb = await db.run(SELECT.one(Employees).where({ email }));
+    let roles = ["employee"];
+    if (!userFromDb) {
+      userFromDb = await db.run(SELECT.one(Customers).where({ email }));
+      roles = ["customer"];
+    }
+    return Object.assign({}, userFromDb, { roles });
+  }
+
   this.before("UPDATE", "*", async (req) => {
     req.query = req.query.where({ ID: req.user.attr.ID });
   });
@@ -32,35 +53,58 @@ module.exports = async function () {
   this.on("login", async (req) => {
     const { email, password } = req.data;
 
-    let userFromDb = await db.run(SELECT.one(Employees).where({ email }));
-    let roles = ["employee"];
-    if (!userFromDb) {
-      userFromDb = await db.run(SELECT.one(Customers).where({ email }));
-      roles = ["customer"];
-    }
-
+    const userFromDb = await getUser(email);
     if (!userFromDb) {
       req.reject(401);
     }
+
     try {
       await comparePasswords(password, userFromDb.password);
     } catch (error) {
       req.reject(401);
     }
 
-    const token = jwt.sign(
-      { email, ID: userFromDb.ID, roles },
-      ACCESS_TOKEN_SECRET,
-      {
-        expiresIn: ACCESS_TOKEN_EXP_IN,
-      }
+    const [accessToken, refreshToken] = createTokens(
+      userFromDb.email,
+      userFromDb.ID,
+      userFromDb.roles
     );
 
     return {
-      token,
-      roles,
-      email: userFromDb.email,
+      accessToken,
+      refreshToken,
       ID: userFromDb.ID,
+      email: userFromDb.email,
+      roles: userFromDb.roles,
+    };
+  });
+
+  this.on("refreshTokens", async (req) => {
+    let decodedUser;
+    try {
+      const { refreshToken } = req.data;
+      decodedUser = jwt.verify(refreshToken, REFRESH_TOKEN_SECRET);
+    } catch (error) {
+      req.reject(401);
+    }
+
+    const userFromDb = await getUser(decodedUser.email);
+    if (!userFromDb) {
+      req.reject(401);
+    }
+
+    const [accessToken, refreshToken] = createTokens(
+      userFromDb.email,
+      userFromDb.ID,
+      userFromDb.roles
+    );
+
+    return {
+      accessToken,
+      refreshToken,
+      ID: userFromDb.ID,
+      email: userFromDb.email,
+      roles: userFromDb.roles,
     };
   });
 };