fix: add roles to the access cookie token signing

Bccorb · Bccorb · commit afbcb5cc06bd · 2026-02-15T16:29:52.000-05:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/controllers/authentication.ts b/src/controllers/authentication.ts
@@ -319,7 +319,7 @@ export const refreshSession = async (req: Request, res: Response) => {
   session.replacedBySessionId = newSession.id;
   await session.save();
 
-  const token = await signAccessToken(session.id, user.id);
+  const token = await signAccessToken(session.id, user.id, user.roles);
 
   if (token && newRefreshTokenHash) {
     await AuthEventService.log({ userId: user.id, type: 'refresh_token_success', req });
diff --git a/src/controllers/otp.ts b/src/controllers/otp.ts
@@ -231,7 +231,7 @@ export const verifyPhoneNumber = async (req: Request, res: Response) => {
           lastUsedAt: undefined,
         });
 
-        token = await signAccessToken(session.id, user.id);
+        token = await signAccessToken(session.id, user.id, user.roles);
       }
 
       if (token && refreshToken) {
@@ -342,7 +342,7 @@ export const verifyEmail = async (req: Request, res: Response) => {
         lastUsedAt: undefined,
       });
 
-      token = await signAccessToken(session.id, user.id);
+      token = await signAccessToken(session.id, user.id, user.roles);
     }
 
     if (token && refreshToken) {
@@ -438,7 +438,7 @@ export const verifyLoginPhoneNumber = async (req: Request, res: Response) => {
           lastUsedAt: undefined,
         });
 
-        token = await signAccessToken(session.id, user.id);
+        token = await signAccessToken(session.id, user.id, user.roles);
       }
 
       if (token && refreshToken) {
@@ -560,7 +560,7 @@ export const verifyLoginEmail = async (req: Request, res: Response) => {
         lastUsedAt: undefined,
       });
 
-      token = await signAccessToken(session.id, user.id);
+      token = await signAccessToken(session.id, user.id, user.roles);
     }
 
     if (token && refreshToken) {
diff --git a/src/controllers/webauthn.ts b/src/controllers/webauthn.ts
@@ -251,7 +251,7 @@ const verifyWebAuthnRegistration = async (req: Request, res: Response) => {
       lastUsedAt: undefined,
     });
 
-    const token = await signAccessToken(session.id, user.id);
+    const token = await signAccessToken(session.id, user.id, user.roles);
 
     user.challenge = '';
     user.verified = true;
@@ -275,16 +275,17 @@ const verifyWebAuthnRegistration = async (req: Request, res: Response) => {
 
       const { access_token_ttl, refresh_token_ttl } = await getSystemConfig();
 
-      return res
-        .status(200)
-        .json({
-          message: 'Success',
-          token,
-          refreshToken,
-          sub: user.id,
-          ttl: parseDurationToSeconds(access_token_ttl || '15m'),
-          refreshTtl: parseDurationToSeconds(refresh_token_ttl || '1h'),
-        });
+      return res.status(200).json({
+        message: 'Success',
+        token,
+        refreshToken,
+        sub: user.id,
+        roles: user.roles,
+        email: user.email,
+        phone: user.phone,
+        ttl: parseDurationToSeconds(access_token_ttl || '15m'),
+        refreshTtl: parseDurationToSeconds(refresh_token_ttl || '1h'),
+      });
     }
   } catch (err) {
     logger.error(`Error in verifyWebAuthnRegistration: ${err}`);
@@ -516,6 +517,8 @@ const verifyWebAuthn = async (req: Request, res: Response) => {
           refreshToken,
           sub: user.id,
           roles: user.roles,
+          email: user.email,
+          phone: user.phone,
           ttl: parseDurationToSeconds(access_token_ttl || '15m'),
           refreshTtl: parseDurationToSeconds(refresh_token_ttl || '1h'),
         });
