From 7d6d3e668788a2e37a5d6a27a939516d3e24d165 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Fri, 11 Jul 2025 14:43:07 -0500
Subject: [PATCH] Move invalidate refresh token to TokenManager

---
 server/Auth.js              | 10 +---------
 server/auth/TokenManager.js | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/server/Auth.js b/server/Auth.js
index 55eb334a..571472a7 100644
--- a/server/Auth.js
+++ b/server/Auth.js
@@ -1,5 +1,4 @@
 const { Request, Response, NextFunction } = require('express')
-const { rateLimit } = require('express-rate-limit')
 const passport = require('passport')
 const JwtStrategy = require('passport-jwt').Strategy
 const ExtractJwt = require('passport-jwt').ExtractJwt
@@ -466,14 +465,7 @@ class Auth {
 
       // Invalidate the session in database using refresh token
       if (refreshToken) {
-        try {
-          Logger.info(`[Auth] logout: Invalidating session for refresh token: ${refreshToken}`)
-          await Database.sessionModel.destroy({
-            where: { refreshToken }
-          })
-        } catch (error) {
-          Logger.error(`[Auth] Error destroying session: ${error.message}`)
-        }
+        await this.tokenManager.invalidateRefreshToken(refreshToken)
       } else {
         Logger.info(`[Auth] logout: No refresh token on request`)
       }
diff --git a/server/auth/TokenManager.js b/server/auth/TokenManager.js
index 3f5cc836..65ae32b1 100644
--- a/server/auth/TokenManager.js
+++ b/server/auth/TokenManager.js
@@ -379,6 +379,28 @@ class TokenManager {
     await Database.sessionModel.destroy({ where: { userId: user.id } })
     return null
   }
+
+  /**
+   * Invalidate a refresh token - used for logout
+   *
+   * @param {string} refreshToken
+   * @returns {Promise<boolean>}
+   */
+  async invalidateRefreshToken(refreshToken) {
+    if (!refreshToken) {
+      Logger.error(`[TokenManager] No refresh token provided to invalidate`)
+      return false
+    }
+
+    try {
+      const numDeleted = await Database.sessionModel.destroy({ where: { refreshToken: refreshToken } })
+      Logger.info(`[TokenManager] Refresh token ${refreshToken} invalidated, ${numDeleted} sessions deleted`)
+      return true
+    } catch (error) {
+      Logger.error(`[TokenManager] Error invalidating refresh token: ${error.message}`)
+      return false
+    }
+  }
 }
 
 module.exports = TokenManager