refactor(backend): revoke tokens, update email

move revoke tokens function from delete user to its own funciton (together with removing from cache) remove authutil calls from dal and move them to the controller layer make sure to revoke tokens on email change
2025-09-07 15:15:49 +08:00 · 2024-05-24 13:39:18 +02:00 · 2024-05-24 13:39:18 +02:00 · f7a97505db
commit f7a97505db
parent f9d1016e47
3 changed files with 31 additions and 13 deletions
--- a/backend/src/api/controllers/user.ts
+++ b/backend/src/api/controllers/user.ts
@ -24,10 +24,8 @@ import { ObjectId } from "mongodb";
 import * as ReportDAL from "../../dal/report";
 import emailQueue from "../../queues/email-queue";
 import FirebaseAdmin from "../../init/firebase-admin";
-import {
-  removeTokensFromCacheByUid,
-  deleteUser as firebaseDeleteUser,
-} from "../../utils/auth";
+import * as AuthUtil from "../../utils/auth";
+
 import * as Dates from "date-fns";
 import { UTCDateMini } from "@date-fns/utc";
 import * as BlocklistDal from "../../dal/blocklist";
@ -201,7 +199,8 @@ export async function deleteUser(
  ]);

  //delete user from
-  await firebaseDeleteUser(uid);
+  await AuthUtil.deleteUser(uid);
+  await AuthUtil.revokeTokensByUid(uid);

  void Logger.logToDb(
    "user_deleted",
@ -325,9 +324,31 @@ export async function updateEmail(
  newEmail = newEmail.toLowerCase();

  try {
+    await AuthUtil.updateUserEmail(uid, newEmail);
    await UserDAL.updateEmail(uid, newEmail);
+    await AuthUtil.revokeTokensByUid(uid);
  } catch (e) {
-    throw new MonkeyError(404, e.message, "update email", uid);
+    if (e.code === "auth/email-already-exists") {
+      throw new MonkeyError(
+        409,
+        "The email address is already in use by another account"
+      );
+    } else if (e.code === "auth/invalid-email") {
+      throw new MonkeyError(400, "Invalid email address");
+    } else if (e.code === "auth/too-many-requests") {
+      throw new MonkeyError(429, "Too many requests. Please try again later");
+    } else if (e.code === "auth/user-not-found") {
+      throw new MonkeyError(
+        404,
+        "User not found in the auth system",
+        "update email",
+        uid
+      );
+    } else if (e.code === "auth/invalid-user-token") {
+      throw new MonkeyError(401, "Invalid user token", "update email", uid);
+    } else {
+      throw e;
+    }
  }

  void Logger.logToDb(
@ -920,8 +941,7 @@ export async function revokeAllTokens(
  req: MonkeyTypes.Request
 ): Promise<MonkeyResponse> {
  const { uid } = req.ctx.decodedToken;
-  await FirebaseAdmin().auth().revokeRefreshTokens(uid);
-  removeTokensFromCacheByUid(uid);
+  await AuthUtil.revokeTokensByUid(uid);
  return new MonkeyResponse("All tokens revoked");
 }

--- a/backend/src/dal/user.ts
+++ b/backend/src/dal/user.ts
@ -1,6 +1,6 @@
 import _ from "lodash";
 import { isUsernameValid } from "../utils/validation";
-import { updateUserEmail } from "../utils/auth";
+import { updateUserEmail, updateUserPassword } from "../utils/auth";
 import { canFunboxGetPb, checkAndUpdatePb } from "../utils/pb";
 import * as db from "../init/db";
 import MonkeyError from "../utils/error";
@ -178,7 +178,6 @@ export async function updateQuoteRatings(
  quoteRatings: SharedTypes.UserQuoteRatings
 ): Promise<boolean> {
  await getUser(uid, "update quote ratings");
-
  await getUsersCollection().updateOne({ uid }, { $set: { quoteRatings } });
  return true;
 }
@ -188,7 +187,6 @@ export async function updateEmail(
  email: string
 ): Promise<boolean> {
  await getUser(uid, "update email"); // To make sure that the user exists
-  await updateUserEmail(uid, email);
  await getUsersCollection().updateOne({ uid }, { $set: { email } });
  return true;
 }
--- a/backend/src/utils/auth.ts
+++ b/backend/src/utils/auth.ts
@ -61,10 +61,10 @@ export async function updateUserEmail(

 export async function deleteUser(uid: string): Promise<void> {
  await FirebaseAdmin().auth().deleteUser(uid);
-  removeTokensFromCacheByUid(uid);
 }

-export function removeTokensFromCacheByUid(uid: string): void {
+export async function revokeTokensByUid(uid: string): Promise<void> {
+  await FirebaseAdmin().auth().revokeRefreshTokens(uid);
  for (const entry of tokenCache.entries()) {
    if (entry[1].uid === uid) {
      tokenCache.delete(entry[0]);