From 452a1a4b666f38ac4d11f827f4c9f73714762802 Mon Sep 17 00:00:00 2001
From: Christian Carlsson <hello@crlssn.com>
Date: Mon, 11 Nov 2024 12:31:40 +0000
Subject: [PATCH] fix: check if refresh token exists

---
 go/pkg/repos/auth.go |  4 ++++
 go/rpc/auth/auth.go  | 12 +++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/go/pkg/repos/auth.go b/go/pkg/repos/auth.go
index 487d4e529..9f0e2c77b 100644
--- a/go/pkg/repos/auth.go
+++ b/go/pkg/repos/auth.go
@@ -73,3 +73,7 @@ func (a *Auth) DeleteRefreshToken(ctx context.Context, refreshToken string) erro
 	_, err := orm.Auths(orm.AuthWhere.RefreshToken.EQ(null.StringFrom(refreshToken))).UpdateAll(ctx, a.db, orm.M{orm.AuthColumns.RefreshToken: nil})
 	return err
 }
+
+func (a *Auth) RefreshTokenExists(ctx context.Context, refreshToken string) (bool, error) {
+	return orm.Auths(orm.AuthWhere.RefreshToken.EQ(null.StringFrom(refreshToken))).Exists(ctx, a.db)
+}
diff --git a/go/rpc/auth/auth.go b/go/rpc/auth/auth.go
index e66c53b13..e1fa94808 100644
--- a/go/rpc/auth/auth.go
+++ b/go/rpc/auth/auth.go
@@ -111,10 +111,20 @@ func (h *handler) RefreshToken(ctx context.Context, _ *connect.Request[v1.Refres
 
 	refreshToken, ok := ctx.Value(jwt.ContextKeyRefreshToken).(string)
 	if !ok {
-		log.Warn("refresh token not found")
+		log.Warn("refresh token not provided")
 		return nil, connect.NewError(connect.CodeUnauthenticated, http.ErrNoCookie)
 	}
 
+	exists, err := h.repo.RefreshTokenExists(ctx, refreshToken)
+	if err != nil {
+		log.Error("refresh token check failed", zap.Error(err))
+		return nil, connect.NewError(connect.CodeInternal, errors.New(""))
+	}
+	if !exists {
+		log.Warn("refresh token not found")
+		return nil, connect.NewError(connect.CodeUnauthenticated, errors.New("refresh token not found"))
+	}
+
 	claims, err := h.jwt.ClaimsFromToken(refreshToken, jwt.TokenTypeRefresh)
 	if err != nil {
 		log.Error("token parsing failed", zap.Error(err))