refactor(platform-service): auth/jwt.ts — productId from caller, issuer → 'bytelyst-platform'

- createAccessToken() and createRefreshToken() now require productId parameter - Issuer changed from PRODUCT_ID env var to generic 'bytelyst-platform' - verifyToken() validates against 'bytelyst-platform' issuer - auth/routes.ts callers updated to pass productId (still from PRODUCT_ID env var for now) - Refresh endpoint reads productId from user doc
2026-02-15 14:16:49 -08:00 · 2026-02-15 14:16:49 -08:00 · 8cc70db676
commit 8cc70db676
parent 465d429e09
2 changed files with 15 additions and 9 deletions
--- a/services/platform-service/src/modules/auth/jwt.ts
+++ b/services/platform-service/src/modules/auth/jwt.ts
@ -4,7 +4,6 @@
 */

 import { SignJWT, jwtVerify } from 'jose';
-import { PRODUCT_ID } from '../../lib/product-config.js';

 function getSecret(): Uint8Array {
  const secret = process.env.JWT_SECRET;
@ -16,21 +15,25 @@ export async function createAccessToken(payload: {
  sub: string;
  email: string;
  role: string;
+  productId: string;
 }): Promise<string> {
-  return new SignJWT({ ...payload, productId: PRODUCT_ID, type: 'access' })
+  return new SignJWT({ ...payload, type: 'access' })
    .setProtectedHeader({ alg: 'HS256' })
    .setIssuedAt()
    .setExpirationTime('1h')
-    .setIssuer(PRODUCT_ID)
+    .setIssuer('bytelyst-platform')
    .sign(getSecret());
 }

-export async function createRefreshToken(payload: { sub: string }): Promise<string> {
-  return new SignJWT({ sub: payload.sub, productId: PRODUCT_ID, type: 'refresh' })
+export async function createRefreshToken(payload: {
+  sub: string;
+  productId: string;
+}): Promise<string> {
+  return new SignJWT({ sub: payload.sub, productId: payload.productId, type: 'refresh' })
    .setProtectedHeader({ alg: 'HS256' })
    .setIssuedAt()
    .setExpirationTime('7d')
-    .setIssuer(PRODUCT_ID)
+    .setIssuer('bytelyst-platform')
    .sign(getSecret());
 }

@ -42,7 +45,7 @@ export async function verifyToken(token: string): Promise<{
  type?: string;
 }> {
  const { payload } = await jwtVerify(token, getSecret(), {
-    issuer: PRODUCT_ID,
+    issuer: 'bytelyst-platform',
  });
  return payload as {
    sub: string;
--- a/services/platform-service/src/modules/auth/routes.ts
+++ b/services/platform-service/src/modules/auth/routes.ts
@ -36,8 +36,9 @@ export async function authRoutes(app: FastifyInstance) {
      sub: user.id,
      email: user.email,
      role: user.role,
+      productId: PRODUCT_ID,
    });
-    const refreshToken = await jwt.createRefreshToken({ sub: user.id });
+    const refreshToken = await jwt.createRefreshToken({ sub: user.id, productId: PRODUCT_ID });

    return {
      accessToken,
@ -76,8 +77,9 @@ export async function authRoutes(app: FastifyInstance) {
      sub: user.id,
      email: user.email,
      role: user.role,
+      productId: PRODUCT_ID,
    });
-    const refreshToken = await jwt.createRefreshToken({ sub: user.id });
+    const refreshToken = await jwt.createRefreshToken({ sub: user.id, productId: PRODUCT_ID });

    reply.code(201);
    return {
@ -104,6 +106,7 @@ export async function authRoutes(app: FastifyInstance) {
        sub: user.id,
        email: user.email,
        role: user.role,
+        productId: user.productId,
      });
      return { accessToken };
    } catch {