prevent expired refreshToken to proceed

src/domain/entities/jwt.payload.ts

@@ -1,19 +1,17 @@
 import { IsInt, IsNotEmpty, IsString } from 'class-validator'
 
-export interface IJwtPayload<T = string> {
-  iat: number
-  exp: number
-  username: string
-  sub: T
-}
-
 export interface IJwtPayloadRawDecoded {
   iat: number
   exp: number
   username: string
   sub: string
 }
 
+export interface IJwtPayload<T = string>
+  extends Omit<IJwtPayloadRawDecoded, 'sub'> {
+  sub: T
+}
+
 export class JwtPayload implements IJwtPayload {
   @IsNotEmpty()
   @IsInt()

src/domain/strategies/refresh-token.strategy.ts

@@ -1,8 +1,9 @@
 import { HttpStatus, Injectable } from '@nestjs/common'
 import { PassportStrategy } from '@nestjs/passport'
+import moment from 'moment'
 import { ExtractJwt, JwtFromRequestFunction } from 'passport-jwt'
 import { Strategy } from 'passport-strategy'
-import { lastValueFrom, map } from 'rxjs'
+import { lastValueFrom, map, mergeMap, of } from 'rxjs'
 import {
   AuthTransferTokenMethod,
   getRequestCookie,
@@ -87,11 +88,22 @@ export class RefreshTokenStrategy extends PassportStrategy(
 
   protected async validate(
     payload: IJwtPayload
-  ): Promise<IAuthUserEntityForResponse> {
+  ): Promise<IAuthUserEntityForResponse | undefined> {
     return lastValueFrom(
-      this.authRepository
-        .getAuthUserByUsername(payload.username)
-        .pipe(map(hideRedactedFields(this.authDefinitions.redactedFields)))
+      of(payload).pipe(
+        mergeMap((res) => {
+          /**
+           * Do not allow expired refreshToken to proceed.
+           */
+          if (moment().isAfter(moment(payload.exp * 1000).toDate())) {
+            return of(undefined)
+          }
+
+          return this.authRepository
+            .getAuthUserByUsername(res.username)
+            .pipe(map(hideRedactedFields(this.authDefinitions.redactedFields)))
+        })
+      )
     )
   }
 }