Merge pull request #624 from auth0/refresh-with-no-rt

throw if you try to refresh with no rt
auth0 · Mar 24, 2022 · ab4999c · ab4999c
2 parents 15e89f5 + 6421223
commit ab4999c
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/src/session/get-access-token.ts b/src/session/get-access-token.ts
@@ -139,6 +139,13 @@ export default function accessTokenFactory(
       );
     }
 
+    if (accessTokenRequest?.refresh && !session.refreshToken) {
+      throw new AccessTokenError(
+        'no_refresh_token',
+        'A refresh token is required to refresh the access token, but none is present.'
+      );
+    }
+
     // Check if the token has expired.
     // There is an edge case where we might have some clock skew where our code assumes the token is still valid.
     // Adding a skew of 1 minute to compensate.

diff --git a/tests/session/get-access-token.test.ts b/tests/session/get-access-token.test.ts
@@ -98,6 +98,22 @@ describe('get access token', () => {
     );
   });
 
+  test('should fail if you try to refresh the access token without a refresh token', async () => {
+    const baseUrl = await setup(withApi, {
+      callbackOptions: {
+        afterCallback: (_req, _res, session): Session => {
+          delete session.refreshToken;
+          return session;
+        }
+      },
+      getAccessTokenOptions: { refresh: true }
+    });
+    const cookieJar = await login(baseUrl);
+    await expect(get(baseUrl, '/api/access-token', { cookieJar })).rejects.toThrow(
+      'A refresh token is required to refresh the access token, but none is present.'
+    );
+  });
+
   test('should return an access token', async () => {
     const baseUrl = await setup(withApi);
     const cookieJar = await login(baseUrl);