fix: insecure token storage when using no non custom domain

Author: DanielRivers

lib/utils/token/refreshToken.test.ts

@@ -5,6 +5,7 @@ import {
   storageSettings,
 } from "../../sessionManager";
 import * as tokenUtils from ".";
+import * as refreshTimer from "../refreshTimer";
 
 describe("refreshToken", () => {
   const mockDomain = "https://example.com";
@@ -17,6 +18,8 @@ describe("refreshToken", () => {
     vi.resetAllMocks();
     vi.spyOn(tokenUtils, "getDecodedToken").mockResolvedValue(null);
     vi.spyOn(memoryStorage, "setSessionItem");
+    vi.spyOn(refreshTimer, "setRefreshTimer");
+    vi.spyOn(tokenUtils, "refreshToken");
     tokenUtils.setActiveStorage(memoryStorage);
     global.fetch = vi.fn();
     vi.spyOn(console, "error").mockImplementation(() => {});
@@ -192,10 +195,19 @@ describe("refreshToken", () => {
       refresh_token: "new-refresh-token",
     };
     storageSettings.useInsecureForRefreshToken = true;
+
+    const insecureStorage = new MemoryStorage();
+
+    tokenUtils.setInsecureStorage(insecureStorage);
+    await insecureStorage.setSessionItem(
+      StorageKeys.refreshToken,
+      mockRefreshTokenValue,
+    );
+    vi.spyOn(insecureStorage, "setSessionItem");
     memoryStorage.getSessionItem = vi
       .fn()
       .mockResolvedValue(mockRefreshTokenValue);
-    vi.mocked(global.fetch).mockResolvedValue({
+    vi.mocked(global.fetch).mockResolvedValueOnce({
       ok: true,
       json: () => Promise.resolve(mockResponse),
     } as Response);
@@ -219,9 +231,94 @@ describe("refreshToken", () => {
       StorageKeys.idToken,
       "new-id-token",
     );
-    expect(memoryStorage.setSessionItem).toHaveBeenCalledWith(
+    expect(insecureStorage.setSessionItem).toHaveBeenCalledWith(
+      StorageKeys.refreshToken,
+      "new-refresh-token",
+    );
+    expect(memoryStorage.setSessionItem).not.toHaveBeenCalledWith(
       StorageKeys.refreshToken,
       "new-refresh-token",
     );
+
+    // reset storageSettings to default
+    storageSettings.useInsecureForRefreshToken = false;
+  });
+
+  it("raise error when no session storage is found when useInsecureForRefreshToken", async () => {
+    const mockResponse = {
+      access_token: "new-access-token",
+      id_token: "new-id-token",
+      refresh_token: "new-refresh-token",
+    };
+    storageSettings.useInsecureForRefreshToken = true;
+
+    tokenUtils.clearActiveStorage();
+
+    const insecureStorage = new MemoryStorage();
+    tokenUtils.setInsecureStorage(insecureStorage);
+    await insecureStorage.setSessionItem(
+      StorageKeys.refreshToken,
+      mockRefreshTokenValue,
+    );
+
+    vi.mocked(global.fetch).mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve(mockResponse),
+    } as Response);
+
+    const result = await tokenUtils.refreshToken({
+      domain: mockDomain,
+      clientId: mockClientId,
+    });
+
+    expect(result).toStrictEqual({
+      error: "No active storage found",
+      success: false,
+    });
+
+    storageSettings.useInsecureForRefreshToken = false;
+  });
+
+  it("triggers new timer when expires_in supplied and calls refreshToken", async () => {
+    vi.useFakeTimers();
+    const mockResponse = {
+      access_token: "new-access-token",
+      id_token: "new-id-token",
+      refresh_token: "new-refresh-token",
+      expires_in: 1000,
+    };
+
+    const insecureStorage = new MemoryStorage();
+    tokenUtils.setInsecureStorage(insecureStorage);
+    await insecureStorage.setSessionItem(
+      StorageKeys.refreshToken,
+      mockRefreshTokenValue,
+    );
+
+    vi.mocked(global.fetch).mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve(mockResponse),
+    } as Response);
+
+    const result = await tokenUtils.refreshToken({
+      domain: mockKindeDomain,
+      clientId: mockClientId,
+    });
+
+    expect(refreshTimer.setRefreshTimer).toHaveBeenCalledWith(
+      1000,
+      expect.any(Function),
+    );
+    vi.runAllTimers();
+    expect(tokenUtils.refreshToken).toHaveBeenCalledWith({
+      domain: mockKindeDomain,
+      clientId: mockClientId,
+    });
+    expect(result).toStrictEqual({
+      accessToken: "new-access-token",
+      idToken: "new-id-token",
+      refreshToken: "new-refresh-token",
+      success: true,
+    });
   });
 });

lib/utils/token/refreshToken.ts

@@ -4,7 +4,7 @@ import {
   StorageKeys,
   storageSettings,
 } from "../../sessionManager";
-import { sanitizeUrl } from "..";
+import { isCustomDomain, sanitizeUrl } from "..";
 import { clearRefreshTimer, setRefreshTimer } from "../refreshTimer";
 
 export interface RefreshTokenResult {
@@ -51,7 +51,7 @@ export const refreshToken = async ({
     let refreshTokenValue: string = "";
 
     let storage: SessionManager | null;
-    if (storageSettings.useInsecureForRefreshToken) {
+    if (storageSettings.useInsecureForRefreshToken || !isCustomDomain(domain)) {
       storage = getInsecureStorage();
     } else {
       storage = getActiveStorage();
@@ -102,17 +102,27 @@ export const refreshToken = async ({
       }
       const data = await response.json();
       if (data.access_token) {
+        const secureStore = getActiveStorage();
+        if (!secureStore) {
+          return {
+            success: false,
+            error: "No active storage found",
+          };
+        }
         setRefreshTimer(data.expires_in, async () => {
           refreshToken({ domain, clientId });
         });
 
         if (storage) {
-          await storage.setSessionItem(
+          await secureStore.setSessionItem(
             StorageKeys.accessToken,
             data.access_token,
           );
           if (data.id_token) {
-            await storage.setSessionItem(StorageKeys.idToken, data.id_token);
+            await secureStore.setSessionItem(
+              StorageKeys.idToken,
+              data.id_token,
+            );
           }
           if (data.refresh_token) {
             await storage.setSessionItem(
@@ -142,7 +152,7 @@ export const refreshToken = async ({
   } catch (error) {
     return {
       success: false,
-      error: `Error refreshing token: ${error}`,
+      error: `Error refreshing token: ${(error as Error).message}`,
     };
   }
 };