From a2423fad5e1512c548c7bb3ada2d0346dcea7743 Mon Sep 17 00:00:00 2001
From: Antoine Moreaux <moreaux.antoine@gmail.com>
Date: Wed, 18 Dec 2024 18:56:49 +0100
Subject: [PATCH] feat(auth): add workspaceId validation and token expiration
 (#9134)

Added validation to ensure refresh tokens include a workspaceId,
throwing an exception for malformed tokens. Included workspaceId in
payloads and introduced expiration handling for access tokens. This
enhances token security and prevents potential misuse.

Close #9126
---
 .../auth/token/services/access-token.service.ts        |  1 +
 .../auth/token/services/refresh-token.service.ts       | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/packages/twenty-server/src/engine/core-modules/auth/token/services/access-token.service.ts b/packages/twenty-server/src/engine/core-modules/auth/token/services/access-token.service.ts
index bb80d91af594..35e567d474bb 100644
--- a/packages/twenty-server/src/engine/core-modules/auth/token/services/access-token.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/token/services/access-token.service.ts
@@ -100,6 +100,7 @@ export class AccessTokenService {
     return {
       token: this.jwtWrapperService.sign(jwtPayload, {
         secret: this.jwtWrapperService.generateAppSecret('ACCESS', workspaceId),
+        expiresIn,
       }),
       expiresAt,
     };
diff --git a/packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts b/packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts
index 7dfe5d68ec5f..ea574709bb95 100644
--- a/packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/token/services/refresh-token.service.ts
@@ -90,6 +90,14 @@ export class RefreshTokenService {
       );
     }
 
+    // TODO: Delete this useless condition and error after March 31st 2025
+    if (!token.workspaceId) {
+      throw new AuthException(
+        'This refresh token is malformed',
+        AuthExceptionCode.INVALID_INPUT,
+      );
+    }
+
     return { user, token };
   }
 
@@ -115,10 +123,12 @@ export class RefreshTokenService {
     const refreshTokenPayload = {
       userId,
       expiresAt,
+      workspaceId,
       type: AppTokenType.RefreshToken,
     };
     const jwtPayload = {
       sub: userId,
+      workspaceId,
     };
 
     const refreshToken = this.appTokenRepository.create(refreshTokenPayload);