#Bcrypt always returning true when comparing any refresh token and hashed refresh token

2 messages · Page 1 of 1 (latest)

dim coyote
#

I am not sure if this is a NestJS issue or something else but i'll try my luck here if anyone has any ideas. TLDR is that whenever i compare any refresh token to the hashed refresh token that is stored in the db with bcrypt, bcrypt.compare always returns true if a refresh token is sent that was owned by the user. This is my Refresh Strategy

import { Injectable } from '@nestjs/common';
import { ConfigService } from '@nestjs/config';
import { PassportStrategy } from '@nestjs/passport';
import { Request } from 'express';
import { ExtractJwt, Strategy } from 'passport-jwt';
import { FirebaseAuthService } from '../firebase-auth.service';
import TokenPayload from '../interface/tokey-payload.interface';

@Injectable()
export class JwtRefreshTokenStrategy extends PassportStrategy(
  Strategy,
  'jwt-refresh-token',
) {
  constructor(
    private readonly configService: ConfigService,
    private readonly firebaseAuthService: FirebaseAuthService,
  ) {
    super({
      jwtFromRequest: ExtractJwt.fromExtractors([
        (request: Request) => {
          return request?.body?.refreshToken;
        },
      ]),
      secretOrKey: configService.get<string>('JWT_REFRESH_TOKEN_SECRET'),
      passReqToCallback: true,
    });
  }
  async validate(request: Request, payload: TokenPayload) {
    const refreshToken = request.body.refreshToken;
    return this.firebaseAuthService.getUserIfRefreshTokenMatches(
      refreshToken,
      payload.userId,
    );
  }
}

and this is where bcrypt always returns true

  async getUserIfRefreshTokenMatches(refreshToken: string, userId: string) {
    const user = await this.userRepository.findOne({
      where: { id: Equal(userId) },
    });

    const isRefreshTokenMatching = await bcrypt.compare(
      refreshToken,
      user.currentHashedRefreshToken,
    );
    if (isRefreshTokenMatching === true) {
      return user;
    }
  }```
#

also found some simular issues on stackoverflow
Also i found some posts on stackoverflow with people with simular issues
https://stackoverflow.com/questions/75784340/in-nestjs-bcrypt-always-return-true-with-jwt-token
https://stackoverflow.com/questions/76652654/await-bcrypt-compare-is-still-true-even-after-an-hash-update-on-database-when-co

Stack Overflow
In nestjs bcrypt always return true with jwt token

In our rest api when someone logs in his jwt refresh token is stored in a database after after encrypting with bcrypt and when the user want to get a new access token the api will check if the refr...

Stack Overflow
await Bcrypt.compare is still true even after an hash update on dat...

I'm experiencing a weird behaviour while using bcrypt to compare a plain value and a hash.
I have this method :
async refreshToken(userId: number, refreshToken: string): Promise<any> {
co...