Adding support for using the refresh token to generate a new access token once expired

Author: Nick Bragdon

server/package.json

@@ -70,6 +70,7 @@
     "jet-logger": "^1.0.4",
     "jsonfile": "^6.1.0",
     "module-alias": "^2.2.2",
+    "moment": "^2.29.1",
     "morgan": "^1.10.0"
   },
   "devDependencies": {

server/src/entities/AuthorizationToken.ts

@@ -1,11 +1,13 @@
+import moment from "moment";
+
 export interface IAuthorizationToken {
     access_token: string,
     expires_in: number,
     token_type: string,
     scope: [string],
     refresh_token: string,
     patient: string,
-    expires_at: number
+    expires_at?: number
 }
 
 export default class AuthorizationToken implements IAuthorizationToken {
@@ -22,7 +24,7 @@ export default class AuthorizationToken implements IAuthorizationToken {
     constructor(authToken: IAuthorizationToken) {
         this.access_token = authToken.access_token;
         this.expires_in = authToken.expires_in;
-        this.expires_at = authToken.expires_at;
+        this.expires_at = authToken.expires_at ? authToken.expires_at : moment().add(this.expires_in).valueOf();
         this.patient = authToken.patient;
         this.refresh_token = authToken.refresh_token;
         this.scope = authToken.scope;

server/src/routes/Authorize.ts

@@ -19,7 +19,7 @@ export async function authorizationCallback(req: Request, res: Response) {
         }
 
         // this gets the token from Medicare.gov once the 'user' authenticates their Medicare.gov account
-        const response = await getAccessToken(req.query.code?.toString(), req.query.state?.toString());        
+        const response = await getAccessToken(req.query.code?.toString(), req.query.state?.toString());
         const authToken = new AuthorizationToken(response.data);
 
         /* DEVELOPER NOTES:

server/src/routes/Data.ts

@@ -3,6 +3,8 @@ import axios from 'axios';
 import config from '../configs/config';
 import db from '../utils/db';
 import { getLoggedInUser } from 'src/utils/user';
+import moment from 'moment';
+import { refreshAccessToken } from 'src/utils/bb2';
 
 /* DEVELOPER NOTES:
 * This is our mocked Data Service layer for both the BB2 API
@@ -16,11 +18,23 @@ export async function getBenefitData(req: Request, res: Response) {
     const loggedInUser = getLoggedInUser(db);
     const envConfig = config[db.settings.env];
     const BB2_BENEFIT_URL = envConfig.bb2BaseUrl + '/' + db.settings.version + '/fhir/ExplanationOfBenefit/';
-    
+
+    if (!loggedInUser.authToken || !loggedInUser.authToken.access_token) {
+        return {};
+    }
+
+    /*
+    * If the access token is expired, use the refresh token to generate a new one
+    */
+    if (moment(loggedInUser.authToken.expires_at).isBefore(moment())) {
+        const newAuthToken = await refreshAccessToken(loggedInUser.authToken.refresh_token)
+        loggedInUser.authToken = newAuthToken;
+    }
+
     const response = await axios.get(BB2_BENEFIT_URL, { 
         params: req.query,
         headers: {
-            'Authorization': `Bearer ${loggedInUser.authToken?.access_token}`
+            'Authorization': `Bearer ${loggedInUser.authToken.access_token}`
         }
     });
     return response.data;

server/src/utils/bb2.ts

@@ -4,6 +4,7 @@ import FormData from 'form-data';
 import db from './db';
 import config from '../configs/config';
 import { generateCodeChallenge, generateRandomState } from './generatePKCE';
+import AuthorizationToken from '@entities/AuthorizationToken';
 
 export function generateAuthorizeUrl(): string {
     const envConfig = config[db.settings.env];
@@ -47,4 +48,26 @@ export async function getAccessToken(code: string, state: string | undefined) {
         form.append('code_challenge', codeChallenge.codeChallenge);
     }
     return await axios.post(BB2_ACCESS_TOKEN_URL, form, { headers: form.getHeaders() });
+}
+
+export async function refreshAccessToken(refreshToken: string) {
+    const envConfig = config[db.settings.env];
+
+    const BB2_ACCESS_TOKEN_URL = envConfig.bb2BaseUrl + '/' + db.settings.version + '/o/token/';
+
+    const tokenResponse = await axios({
+        method: 'post',
+        url: BB2_ACCESS_TOKEN_URL,
+        auth: {
+            username: envConfig.bb2ClientId,
+            password: envConfig.bb2ClientSecret
+        },
+        params: {
+            'grant_type': 'refresh_token',
+            'client_id': envConfig.bb2ClientId,
+            'refresh_token': refreshToken
+        }
+    });
+
+    return new AuthorizationToken(tokenResponse.data);
 }

server/yarn.lock

@@ -1681,6 +1681,11 @@ module-alias@^2.2.2:
   resolved "https://registry.yarnpkg.com/module-alias/-/module-alias-2.2.2.tgz#151cdcecc24e25739ff0aa6e51e1c5716974c0e0"
   integrity sha512-A/78XjoX2EmNvppVWEhM2oGk3x4lLxnkEA4jTbaK97QKSDjkIoOsKQlfylt/d3kKKi596Qy3NP5XrXJ6fZIC9Q==
 
+moment@^2.29.1:
+  version "2.29.1"
+  resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.1.tgz#b2be769fa31940be9eeea6469c075e35006fa3d3"
+  integrity sha512-kHmoybcPV8Sqy59DwNDY3Jefr64lK/by/da0ViFcuA4DH0vQg5Q6Ze5VimxkfQNSC+Mls/Kx53s7TjP1RhFEDQ==
+
 morgan@^1.10.0:
   version "1.10.0"
   resolved "https://registry.yarnpkg.com/morgan/-/morgan-1.10.0.tgz#091778abc1fc47cd3509824653dae1faab6b17d7"