refactor medium severity ai assisted

Refactored Auth Service to JWT Tokens

folderpayment-service calendar_todayMar 12, 2026 schedule2:34 PM · 47 mins history3h ago
Files
7
Added
+143
Removed
-89
Narrative Summary

Replaced the legacy session-cookie authentication with a JWT-based token flow across the auth service layer. The existing SessionStore dependency was removed in favor of a new AuthMiddleware class that validates bearer tokens using RS256 signatures. The migration touches the core request pipeline, so downstream controllers that previously relied on req.session now receive a decoded token payload. Integration tests were updated to use a test JWT issuer.

Developer Intent

Prepare the auth layer for multi-service token sharing ahead of the microservice split. Session cookies don't survive cross-origin API calls from the new mobile client.

Impact Outlook

UserController and AdminController must be updated to read from the token payload instead of req.session. The logout endpoint now needs a token revocation list or short-lived expiry strategy.

Risk Factors
Session migration Auth contract change Missing revocation flow
format_list_bulleted File Navigator
code AuthService.ts
modified
src/services/AuthService.ts
3 symbols2 impacts+52
code AuthMiddleware.ts
added
src/middleware/AuthMiddleware.ts
2 symbols0 impacts+68
code UserController.ts
modified
src/controllers/UserController.ts
1 symbol3 impacts+18
code session.ts
deleted
src/utils/session.ts
1 symbol4 impacts+0
Unified Diff — src/services/AuthService.ts
Indexed 3h ago
·@@ -45,12 +45,15 @@ class AuthService {
45 async authenticate(req: Request) {
46- const session = req.cookies.sessionId;
47- if (!session) throw new Error('Unauthorized');
48- return await SessionStore.get(session);
46+ const token = req.headers.authorization?.split(' ')[1];
47+ if (!token) throw new AuthError('Missing bearer token');
48+ const decoded = await JWT.verify(token, this.publicKey);
49+ req.user = decoded;
50+ return decoded;
51 }
52
·@@ -62,8 +65,12 @@ class AuthService {
65 async refreshToken(req: Request) {
66- const sid = req.cookies.refreshSessionId;
67- return await SessionStore.refresh(sid);
66+ const refresh = req.body.refreshToken;
67+ if (!refresh) throw new AuthError('Missing refresh token');
68+ const payload = await JWT.verify(refresh, this.refreshKey);
69+ return this.issueTokenPair(payload.sub);
70 }
Structural Changes
modified authenticate method
modified refreshToken method
added issueTokenPair method