Skip to content

WIP: Refresh Token #4582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gitwoz wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

WIP: Refresh Token #4582

gitwoz wants to merge 1 commit into from

Conversation

@gitwoz
Copy link
Contributor

@gitwoz gitwoz commented Jun 30, 2025

Reverts #4581

@gitwoz gitwoz requested a review from a team as a code owner June 30, 2025 09:30
@gitwoz gitwoz linked an issue Jun 30, 2025 that may be closed by this pull request
Refresh token API #4535
Closed
cursor[bot]
cursor bot reviewed Jun 30, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Null Token Handling in `setCookie` Function

The setCookie function uses jwt.decode() for accessToken and refreshToken without null checking. If a token is malformed, jwt.decode() returns null, causing a runtime TypeError (e.g., "Cannot read property 'exp' of null") when attempting to access the .exp property to determine cookie expiration. This can lead to application crashes when setting authentication cookies.

src/common/utils/cookie.ts#L83-L101

matters-server/src/common/utils/cookie.ts

Lines 83 to 101 in 5ab38e6

// cookie:accessToken - Contains user authentication JWT (1 hour)
if (accessToken) {
const payload = jwt.decode(accessToken) as { exp: number }
const accessCookieOptions = getCookieOptions({
req,
expires: new Date(payload.exp * 1000),
})
res.cookie(COOKIE_ACCESS_TOKEN_NAME, accessToken, accessCookieOptions)
}
// cookie:refreshToken - Contains refresh token (30 days)
if (refreshToken) {
const payload = jwt.decode(refreshToken) as { exp: number }
const refreshCookieOptions = getCookieOptions({
req,
expires: new Date(payload.exp * 1000),
})
res.cookie(COOKIE_REFRESH_TOKEN_NAME, refreshToken, refreshCookieOptions)
}

Fix in Cursor

Was this report helpful? Give feedback by reacting with 👍 or 👎

@codecov
Copy link

codecov bot commented Jun 30, 2025

Codecov Report

Attention: Patch coverage is 38.06452% with 96 lines in your changes missing coverage. Please review.

Project coverage is 55.71%. Comparing base (f2cc812) to head (5ab38e6).
Report is 1 commits behind head on develop.

Files with missing lines Patch % Lines
src/mutations/user/refreshToken.ts 2.77% 31 Missing and 4 partials ⚠️
src/common/utils/getViewer.ts 22.22% 19 Missing and 2 partials ⚠️
src/connectors/userService.ts 40.00% 16 Missing and 2 partials ⚠️
src/common/utils/cookie.ts 6.66% 12 Missing and 2 partials ⚠️
src/mutations/user/verifyEmail.ts 28.57% 5 Missing ⚠️
src/mutations/user/socialLogin.ts 0.00% 2 Missing ⚠️
src/mutations/user/userLogout.ts 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           develop    #4582      +/-   ##
===========================================
- Coverage    56.40%   55.71%   -0.70%     
===========================================
  Files          973      975       +2     
  Lines        19074    19179     +105     
  Branches      4032     4052      +20     
===========================================
- Hits         10759    10685      -74     
- Misses        7575     7730     +155     
- Partials       740      764      +24

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Refresh token API

2 participants

@gitwoz