Naming of functions generating JWT, and consistency of data associated with JWT

[polymorpher]

In

pump.fun.backend/src/user/user.service.ts

Line 72 in ab2b9d9

async getTokens(payload: object) {

, the function is named as a get-only function (i.e. pure), but in fact it mutates the server state, generate and records a JWT token at the server (via jwtService.signAsync). The name should be updated to reflect that, e.g. create...

In

pump.fun.backend/src/user/user.controller.ts

Line 150 in ab2b9d9

const userData = this.jwtService.verify(body.token);

, a new token is generated using returned userData with a few JWT fields deleted. This can be potentially inconsistent with the payload given in other places, such as

pump.fun.backend/src/user/user.controller.ts

Line 107 in ab2b9d9

const jwt = await this.userService.getTokens(payload)

. It could lead to error if new fields are added later one, or if library updates and assigns new fields to the payload

[ArtemKolodko]

1. getTokens

Function doesn't make any mutations on the server side. signAsync creates object in memory and return the resulted object (accessToken / refreshToken).
Generated tokens are not stored anyware on the backend side and are passed directly to the client

[ArtemKolodko]

2. this.jwtService.verify

Agree, theoretically, deleting can be dangerous, but iat, exp and jti is a service properties described in specification:
https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims#registered-claims

It is very unlikely that these properties will be excluded or renamed.
About the payload - it's the dev responsibility; if you are adding new fields to JWT you have to understand how it works and check the specification at least once.

Current PumpOne JWT structure:

A solution can be to wrap the user payload (username, etc) into additional property, but it would result in a slight increase of JWT token size.

Considering all of this, I prefer to leave it as it is, but it's discussible of course! Thanks for pointing it

[polymorpher]

Sounds good, let's get back to this when the structure becomes more dynamic and complex