From f39a418e9c6f1eb9f895c7d835b205760f9494bd Mon Sep 17 00:00:00 2001 From: Vantz Stockwell Date: Sat, 21 Feb 2026 15:05:19 -0500 Subject: [PATCH] fix: Refresh endpoint returns new refresh_token + bump access TTL to 4h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The refresh endpoint only returned access_token, causing the frontend to set refreshToken=undefined after first refresh — breaking the entire token chain. Now returns both tokens (rotating refresh). Access token default bumped from 15min to 4h (14400s) for practical server setup sessions. Also fixed empty license_key for super admin via DB update. Co-Authored-By: Claude Opus 4.6 --- backend-nest/src/config/configuration.ts | 2 +- backend-nest/src/modules/auth/auth.service.ts | 18 ++++-------------- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/backend-nest/src/config/configuration.ts b/backend-nest/src/config/configuration.ts index ace7b8f..f521e16 100644 --- a/backend-nest/src/config/configuration.ts +++ b/backend-nest/src/config/configuration.ts @@ -9,7 +9,7 @@ export default () => ({ }, jwt: { secret: process.env.JWT_SECRET || 'change-me', - accessExpirySeconds: parseInt(process.env.JWT_ACCESS_EXPIRY_SECONDS || '900', 10), + accessExpirySeconds: parseInt(process.env.JWT_ACCESS_EXPIRY_SECONDS || '14400', 10), refreshExpirySeconds: parseInt(process.env.JWT_REFRESH_EXPIRY_SECONDS || '604800', 10), }, encryption: { diff --git a/backend-nest/src/modules/auth/auth.service.ts b/backend-nest/src/modules/auth/auth.service.ts index 579859b..779747e 100644 --- a/backend-nest/src/modules/auth/auth.service.ts +++ b/backend-nest/src/modules/auth/auth.service.ts @@ -161,22 +161,12 @@ export class AuthService { throw new UnauthorizedException('User not found'); } - // Generate new access token - const accessToken = await this.jwtService.signAsync( - { - sub: user.id, - email: user.email, - username: user.username, - is_super_admin: user.is_super_admin, - }, - { - secret: this.configService.get('jwt.secret'), - expiresIn: this.configService.get('jwt.accessExpirySeconds') || 900, - }, - ); + // Generate new token pair (rotating refresh tokens) + const tokens = await this.generateTokens(user); return { - access_token: accessToken, + access_token: tokens.access_token, + refresh_token: tokens.refresh_token, }; } catch (error) { throw new UnauthorizedException('Invalid refresh token');