feat: token refresh

client/components/login.vue

@@ -11,7 +11,7 @@
             offset-xl4, xl4
             )
             transition(name='zoom')
-              v-card.elevation-5.radius-7(v-show='isShown')
+              v-card.elevation-5.md2(v-show='isShown')
                 v-toolbar(color='primary', flat, dense, dark)
                   v-spacer
                   .subheading(v-if='screen === "tfa"') {{ $t('auth:tfa.subtitle') }}
@@ -59,7 +59,7 @@
                     )
                 v-card-actions.pb-4
                   v-spacer
-                  v-btn(
+                  v-btn.md2(
                     v-if='screen === "login"'
                     block
                     large
@@ -68,7 +68,7 @@
                     round
                     :loading='isLoading'
                     ) {{ $t('auth:actions.login') }}
-                  v-btn(
+                  v-btn.md2(
                     v-if='screen === "tfa"'
                     block
                     large

client/scss/layout/_md2.scss

 .md2 {
 
-  &.v-text-field .v-input__slot {
-    border-radius: 28px;
+  &.v-text-field {
+    .v-input__slot {
+      border-radius: 7px;
+    }
+  }
+
+  &.v-btn {
+    border-radius: 7px;
+  }
+
+  &.v-card {
+    border-radius: 7px;
   }
 
 }

server/graph/directives/auth.js

 const { SchemaDirectiveVisitor } = require('graphql-tools')
 const { defaultFieldResolver } = require('graphql')
+const _ = require('lodash')
 
 class AuthDirective extends SchemaDirectiveVisitor {
   visitObject(type) {
@@ -39,11 +40,13 @@ class AuthDirective extends SchemaDirectiveVisitor {
         }
 
         const context = args[2]
-        console.info(context.req.user)
-        // const user = await getUser(context.headers.authToken)
-        // if (!user.hasRole(requiredScopes)) {
-        //   throw new Error('not authorized')
-        // }
+        if (!context.req.user) {
+          throw new Error('Unauthorized')
+        }
+
+        if (!_.some(context.req.user.permissions, pm => _.includes(requiredScopes, pm))) {
+          throw new Error('Forbidden')
+        }
 
         return resolve.apply(this, args)
       }

server/helpers/security.js

@@ -24,16 +24,14 @@ module.exports = {
     })
   },
 
-  async extractJWT (req) {
-    return passportJWT.ExtractJwt.fromExtractors([
-      passportJWT.ExtractJwt.fromAuthHeaderAsBearerToken(),
-      (req) => {
-        let token = null
-        if (req && req.cookies) {
-          token = req.cookies['jwt']
-        }
-        return token
+  extractJWT: passportJWT.ExtractJwt.fromExtractors([
+    passportJWT.ExtractJwt.fromAuthHeaderAsBearerToken(),
+    (req) => {
+      let token = null
+      if (req && req.cookies) {
+        token = req.cookies['jwt']
       }
-    ])(req)
-  }
+      return token
+    }
+  ])
 }

server/middlewares/auth.js

@@ -13,12 +13,9 @@ module.exports = {
     WIKI.auth.passport.authenticate('jwt', {session: false}, async (err, user, info) => {
       if (err) { return next() }
 
-      console.info(err, user, info)
-
       // Expired but still valid within 7 days, just renew
       if (info instanceof jwt.TokenExpiredError && moment().subtract(7, 'days').isBefore(info.expiredAt)) {
         const jwtPayload = jwt.decode(securityHelper.extractJWT(req))
-        console.info(jwtPayload)
         try {
           const newToken = await WIKI.models.users.refreshToken(jwtPayload.id)
           user = newToken.user

server/models/users.js

@@ -252,9 +252,9 @@ module.exports = class User extends Model {
         timezone: user.timezone,
         localeCode: user.localeCode,
         defaultEditor: user.defaultEditor,
-        permissions: []
+        permissions: ['manage:system']
       }, WIKI.config.sessionSecret, {
-        expiresIn: '10s',
+        expiresIn: '30m',
         audience: 'urn:wiki.js', // TODO: use value from admin
         issuer: 'urn:wiki.js'
       }),