nakama/backend/utils/tokens.js

const jwt = require('jsonwebtoken');
const config = require('../config');

const ACCESS_COOKIE = config.jwt.accessCookieName;
const REFRESH_COOKIE = config.jwt.refreshCookieName;

const buildPayload = (user) => ({
  userId: user._id.toString(),
  telegramId: user.telegramId,
  role: user.role
});

const signAccessToken = (user) =>
  jwt.sign(buildPayload(user), config.jwt.accessSecret, {
    expiresIn: `${config.jwt.accessExpiresIn}s`
  });

const signRefreshToken = (user) =>
  jwt.sign(buildPayload(user), config.jwt.refreshSecret, {
    expiresIn: `${config.jwt.refreshExpiresIn}s`
  });

const signAuthTokens = (user) => ({
  accessToken: signAccessToken(user),
  refreshToken: signRefreshToken(user)
});

const getCookieBaseOptions = () => ({
  httpOnly: true,
  secure: config.isProduction(),
  sameSite: config.isProduction() ? 'lax' : 'lax',
  path: '/'
});

const setAuthCookies = (res, tokens) => {
  const base = getCookieBaseOptions();

  res.cookie(ACCESS_COOKIE, tokens.accessToken, {
    ...base,
    maxAge: config.jwt.accessExpiresIn * 1000
  });

  res.cookie(REFRESH_COOKIE, tokens.refreshToken, {
    ...base,
    maxAge: config.jwt.refreshExpiresIn * 1000
  });
};

const clearAuthCookies = (res) => {
  const base = getCookieBaseOptions();
  res.clearCookie(ACCESS_COOKIE, base);
  res.clearCookie(REFRESH_COOKIE, base);
};

const verifyAccessToken = (token) => jwt.verify(token, config.jwt.accessSecret);
const verifyRefreshToken = (token) => jwt.verify(token, config.jwt.refreshSecret);

module.exports = {
  ACCESS_COOKIE,
  REFRESH_COOKIE,
  signAuthTokens,
  setAuthCookies,
  clearAuthCookies,
  verifyAccessToken,
  verifyRefreshToken
};
Update files 2025-11-10 21:56:36 +00:00			`const jwt = require('jsonwebtoken');`
			`const config = require('../config');`

			`const ACCESS_COOKIE = config.jwt.accessCookieName;`
			`const REFRESH_COOKIE = config.jwt.refreshCookieName;`

			`const buildPayload = (user) => ({`
			`userId: user._id.toString(),`
			`telegramId: user.telegramId,`
			`role: user.role`
			`});`

			`const signAccessToken = (user) =>`
			`jwt.sign(buildPayload(user), config.jwt.accessSecret, {`
			expiresIn: `${config.jwt.accessExpiresIn}s`
			`});`

			`const signRefreshToken = (user) =>`
			`jwt.sign(buildPayload(user), config.jwt.refreshSecret, {`
			expiresIn: `${config.jwt.refreshExpiresIn}s`
			`});`

			`const signAuthTokens = (user) => ({`
			`accessToken: signAccessToken(user),`
			`refreshToken: signRefreshToken(user)`
			`});`

			`const getCookieBaseOptions = () => ({`
			`httpOnly: true,`
			`secure: config.isProduction(),`
			`sameSite: config.isProduction() ? 'lax' : 'lax',`
			`path: '/'`
			`});`

			`const setAuthCookies = (res, tokens) => {`
			`const base = getCookieBaseOptions();`

			`res.cookie(ACCESS_COOKIE, tokens.accessToken, {`
			`...base,`
			`maxAge: config.jwt.accessExpiresIn * 1000`
			`});`

			`res.cookie(REFRESH_COOKIE, tokens.refreshToken, {`
			`...base,`
			`maxAge: config.jwt.refreshExpiresIn * 1000`
			`});`
			`};`

			`const clearAuthCookies = (res) => {`
			`const base = getCookieBaseOptions();`
			`res.clearCookie(ACCESS_COOKIE, base);`
			`res.clearCookie(REFRESH_COOKIE, base);`
			`};`

			`const verifyAccessToken = (token) => jwt.verify(token, config.jwt.accessSecret);`
			`const verifyRefreshToken = (token) => jwt.verify(token, config.jwt.refreshSecret);`

			`module.exports = {`
			`ACCESS_COOKIE,`
			`REFRESH_COOKIE,`
			`signAuthTokens,`
			`setAuthCookies,`
			`clearAuthCookies,`
			`verifyAccessToken,`
			`verifyRefreshToken`
			`};`