Refactored account model to store refresh tokens in their own MongoDB collection

Author: cornflourblue

_helpers/db.js

@@ -5,7 +5,8 @@ mongoose.connect(process.env.MONGODB_URI || config.connectionString, connectionO
 mongoose.Promise = global.Promise;
 
 module.exports = {
-    Account: require('../accounts/account.model'),
+    Account: require('accounts/account.model'),
+    RefreshToken: require('accounts/refresh-token.model'),
     isValidId
 };
 

_helpers/send-email.js

@@ -3,7 +3,7 @@ const config = require('config.json');
 
 module.exports = sendEmail;
 
-function sendEmail({ to, subject, html, from = config.emailFrom }) {
+async function sendEmail({ to, subject, html, from = config.emailFrom }) {
     const transporter = nodemailer.createTransport(config.smtpOptions);
-    transporter.sendMail({ from, to, subject, html });
+    await transporter.sendMail({ from, to, subject, html });
 }

_middleware/authorize.js

@@ -18,6 +18,7 @@ function authorize(roles = []) {
         // authorize based on user role
         async (req, res, next) => {
             const account = await db.Account.findById(req.user.id);
+            const refreshTokens = await db.RefreshToken.find({ account: account.id });
 
             if (!account || (roles.length && !roles.includes(account.role))) {
                 // account no longer exists or role not authorized
@@ -26,7 +27,7 @@ function authorize(roles = []) {
 
             // authentication and authorization successful
             req.user.role = account.role;
-            req.user.ownsToken = token => !!account.refreshTokens.find(x => x.token === token);
+            req.user.ownsToken = token => !!refreshTokens.find(x => x.token === token);
             next();
         }
     ];

accounts/account.model.js

@@ -1,25 +1,7 @@
 const mongoose = require('mongoose');
 const Schema = mongoose.Schema;
 
-const refreshTokenSchema = new Schema({
-    token: String,
-    expires: Date,
-    created: { type: Date, default: Date.now },
-    createdByIp: String,
-    revoked: Date,
-    revokedByIp: String,
-    replacedByToken: String
-});
-
-refreshTokenSchema.virtual('isExpired').get(function () {
-    return Date.now() >= this.expires;
-});
-
-refreshTokenSchema.virtual('isActive').get(function () {
-    return !this.revoked && !this.isExpired;
-});
-
-const accountSchema = new Schema({
+const schema = new Schema({
     email: { type: String, unique: true, required: true },
     passwordHash: { type: String, required: true },
     title: { type: String, required: true },
@@ -35,15 +17,14 @@ const accountSchema = new Schema({
     },
     passwordReset: Date,
     created: { type: Date, default: Date.now },
-    updated: Date,
-    refreshTokens: [refreshTokenSchema]
+    updated: Date
 });
 
-accountSchema.virtual('isVerified').get(function () {
+schema.virtual('isVerified').get(function () {
     return !!(this.verified || this.passwordReset);
 });
 
-accountSchema.set('toJSON', {
+schema.set('toJSON', {
     virtuals: true,
     versionKey: false,
     transform: function (doc, ret) {
@@ -53,4 +34,4 @@ accountSchema.set('toJSON', {
     }
 });
 
-module.exports = mongoose.model('Account', accountSchema);
+module.exports = mongoose.model('Account', schema);

accounts/account.service.js

@@ -5,7 +5,6 @@ const crypto = require("crypto");
 const sendEmail = require('_helpers/send-email');
 const db = require('_helpers/db');
 const Role = require('_helpers/role');
-const Account = db.Account;
 
 module.exports = {
     authenticate,
@@ -24,19 +23,18 @@ module.exports = {
 };
 
 async function authenticate({ email, password, ipAddress }) {
-    const account = await Account.findOne({ email });
+    const account = await db.Account.findOne({ email });
 
     if (!account || !account.isVerified || !bcrypt.compareSync(password, account.passwordHash)) {
         throw 'Email or password is incorrect';
     }
 
     // authentication successful so generate jwt and refresh tokens
     const jwtToken = generateJwtToken(account);
-    const refreshToken = generateRefreshToken(ipAddress);
+    const refreshToken = generateRefreshToken(account, ipAddress);
 
     // save refresh token
-    account.refreshTokens.push(refreshToken);
-    account.save();
+    await refreshToken.save();
 
     // return basic details and tokens
     return { 
@@ -47,15 +45,16 @@ async function authenticate({ email, password, ipAddress }) {
 }
 
 async function refreshToken({ token, ipAddress }) {
-    const { account, refreshToken } = await getRefreshToken(token);
+    const refreshToken = await getRefreshToken(token);
+    const { account } = refreshToken;
 
     // replace old refresh token with a new one and save
-    const newRefreshToken = generateRefreshToken(ipAddress);
+    const newRefreshToken = generateRefreshToken(account, ipAddress);
     refreshToken.revoked = Date.now();
     refreshToken.revokedByIp = ipAddress;
     refreshToken.replacedByToken = newRefreshToken.token;
-    account.refreshTokens.push(newRefreshToken);
-    account.save();
+    await refreshToken.save();
+    await newRefreshToken.save();
 
     // generate new jwt
     const jwtToken = generateJwtToken(account);
@@ -69,26 +68,26 @@ async function refreshToken({ token, ipAddress }) {
 }
 
 async function revokeToken({ token, ipAddress }) {
-    const { account, refreshToken } = await getRefreshToken(token);
+    const refreshToken = await getRefreshToken(token);
 
     // revoke token and save
     refreshToken.revoked = Date.now();
     refreshToken.revokedByIp = ipAddress;
-    account.save()
+    await refreshToken.save();
 }
 
 async function register(params, origin) {
     // validate
-    if (await Account.findOne({ email: params.email })) {
+    if (await db.Account.findOne({ email: params.email })) {
         // send already registered error in email to prevent account enumeration
-        return sendAlreadyRegisteredEmail(params.email, origin);
+        return await sendAlreadyRegisteredEmail(params.email, origin);
     }
 
     // create account object
-    const account = new Account(params);
+    const account = new db.Account(params);
 
     // first registered account is an admin
-    const isFirstAccount = (await Account.countDocuments({})) === 0;
+    const isFirstAccount = (await db.Account.countDocuments({})) === 0;
     account.role = isFirstAccount ? Role.Admin : Role.User;
     account.verificationToken = randomTokenString();
 
@@ -101,11 +100,11 @@ async function register(params, origin) {
     await account.save();
 
     // send email
-    sendVerificationEmail(account, origin);
+    await sendVerificationEmail(account, origin);
 }
 
 async function verifyEmail({ token }) {
-    const account = await Account.findOne({ verificationToken: token });
+    const account = await db.Account.findOne({ verificationToken: token });
 
     if (!account) throw 'Verification failed';
 
@@ -115,7 +114,7 @@ async function verifyEmail({ token }) {
 }
 
 async function forgotPassword({ email }, origin) {
-    const account = await Account.findOne({ email });
+    const account = await db.Account.findOne({ email });
 
     // always return ok response to prevent email enumeration
     if (!account) return;
@@ -125,14 +124,14 @@ async function forgotPassword({ email }, origin) {
         token: randomTokenString(),
         expires: new Date(Date.now() + 24*60*60*1000)
     };
-    account.save();
+    await account.save();
 
     // send email
-    sendPasswordResetEmail(account, origin);
+    await sendPasswordResetEmail(account, origin);
 }
 
 async function validateResetToken({ token }) {
-    const account = await Account.findOne({
+    const account = await db.Account.findOne({
         'resetToken.token': token,
         'resetToken.expires': { $gt: Date.now() }
     });
@@ -141,7 +140,7 @@ async function validateResetToken({ token }) {
 }
 
 async function resetPassword({ token, password }) {
-    const account = await Account.findOne({ 
+    const account = await db.Account.findOne({ 
         'resetToken.token': token,
         'resetToken.expires': { $gt: Date.now() }
     });
@@ -156,7 +155,7 @@ async function resetPassword({ token, password }) {
 }
 
 async function getAll() {
-    const accounts = await Account.find();
+    const accounts = await db.Account.find();
     return accounts.map(x => basicDetails(x));
 }
 
@@ -167,11 +166,11 @@ async function getById(id) {
 
 async function create(params) {
     // validate
-    if (await Account.findOne({ email: params.email })) {
+    if (await db.Account.findOne({ email: params.email })) {
         throw 'Email "' + params.email + '" is already registered';
     }
 
-    const account = new Account(params);
+    const account = new db.Account(params);
     account.verified = Date.now();
 
     // hash password
@@ -189,7 +188,7 @@ async function update(id, params) {
     const account = await getAccount(id);
 
     // validate
-    if (account.email !== params.email && await Account.findOne({ email: params.email })) {
+    if (account.email !== params.email && await db.Account.findOne({ email: params.email })) {
         throw 'Email "' + params.email + '" is already taken';
     }
 
@@ -215,17 +214,15 @@ async function _delete(id) {
 
 async function getAccount(id) {
     if (!db.isValidId(id)) throw 'Account not found';
-    const account = await Account.findById(id);
+    const account = await db.Account.findById(id);
     if (!account) throw 'Account not found';
     return account;
 }
 
 async function getRefreshToken(token) {
-    const account = await Account.findOne().elemMatch('refreshTokens', { token });
-    if (!account) throw 'Invalid token';
-    const refreshToken = account.refreshTokens.find(x => x.token === token);    
-    if (!refreshToken.isActive) throw 'Invalid token';
-    return { account, refreshToken };
+    const refreshToken = await db.RefreshToken.findOne({ token }).populate('account');
+    if (!refreshToken || !refreshToken.isActive) throw 'Invalid token';
+    return refreshToken;
 }
 
 function hash(password) {
@@ -237,13 +234,14 @@ function generateJwtToken(account) {
     return jwt.sign({ sub: account.id, id: account.id }, config.secret, { expiresIn: '15m' });
 }
 
-function generateRefreshToken(ipAddress) {
+function generateRefreshToken(account, ipAddress) {
     // create a refresh token that expires in 7 days
-    return {
+    return new db.RefreshToken({
+        account: account.id,
         token: randomTokenString(),
         expires: new Date(Date.now() + 7*24*60*60*1000),
         createdByIp: ipAddress
-    };
+    });
 }
 
 function randomTokenString() {
@@ -255,7 +253,7 @@ function basicDetails(account) {
     return { id, title, firstName, lastName, email, role, created, updated, isVerified };
 }
 
-function sendVerificationEmail(account, origin) {
+async function sendVerificationEmail(account, origin) {
     let message;
     if (origin) {
         const verifyUrl = `${origin}/account/verify-email?token=${account.verificationToken}`;
@@ -266,7 +264,7 @@ function sendVerificationEmail(account, origin) {
                    <p><code>${account.verificationToken}</code></p>`;
     }
 
-    sendEmail({
+    await sendEmail({
         to: account.email,
         subject: 'Sign-up Verification API - Verify Email',
         html: `<h4>Verify Email</h4>
@@ -275,15 +273,15 @@ function sendVerificationEmail(account, origin) {
     });
 }
 
-function sendAlreadyRegisteredEmail(email, origin) {
+async function sendAlreadyRegisteredEmail(email, origin) {
     let message;
     if (origin) {
         message = `<p>If you don't know your password please visit the <a href="${origin}/account/forgot-password">forgot password</a> page.</p>`;
     } else {
         message = `<p>If you don't know your password you can reset it via the <code>/account/forgot-password</code> api route.</p>`;
     }
 
-    sendEmail({
+    await sendEmail({
         to: email,
         subject: 'Sign-up Verification API - Email Already Registered',
         html: `<h4>Email Already Registered</h4>
@@ -292,7 +290,7 @@ function sendAlreadyRegisteredEmail(email, origin) {
     });
 }
 
-function sendPasswordResetEmail(account, origin) {
+async function sendPasswordResetEmail(account, origin) {
     let message;
     if (origin) {
         const resetUrl = `${origin}/account/reset-password?token=${account.resetToken.token}`;
@@ -303,7 +301,7 @@ function sendPasswordResetEmail(account, origin) {
                    <p><code>${account.resetToken.token}</code></p>`;
     }
 
-    sendEmail({
+    await sendEmail({
         to: account.email,
         subject: 'Sign-up Verification API - Reset Password',
         html: `<h4>Reset Password Email</h4>

accounts/refresh-token.model.js

@@ -0,0 +1,23 @@
+const mongoose = require('mongoose');
+const Schema = mongoose.Schema;
+
+const schema = new Schema({
+    account: { type: Schema.Types.ObjectId, ref: 'Account' },
+    token: String,
+    expires: Date,
+    created: { type: Date, default: Date.now },
+    createdByIp: String,
+    revoked: Date,
+    revokedByIp: String,
+    replacedByToken: String
+});
+
+schema.virtual('isExpired').get(function () {
+    return Date.now() >= this.expires;
+});
+
+schema.virtual('isActive').get(function () {
+    return !this.revoked && !this.isExpired;
+});
+
+module.exports = mongoose.model('RefreshToken', schema);