adds refresh path

pemattern · pemattern · commit 02f6b0d0e2db · 2025-10-17T18:24:27.000+02:00
diff --git a/server/src/handlers/auth.rs b/server/src/handlers/auth.rs
@@ -1,6 +1,11 @@
 use axum::{Extension, extract::State};
 
-use crate::{error::AppResult, models::User, schemas::token::LoginResponse, state::AppState};
+use crate::{
+    error::AppResult,
+    models::User,
+    schemas::token::{LoginResponse, RefreshResponse},
+    state::AppState,
+};
 
 #[axum::debug_handler]
 #[utoipa::path(post, path = "/auth/login")]
@@ -10,10 +15,15 @@ pub async fn login(
 ) -> AppResult<LoginResponse> {
     let access_token = state.auth_service.generate_access_token(&user)?;
     let refresh_token = state.auth_service.generate_refresh_token(&user).await?;
-    Ok(LoginResponse {
-        access_token,
-        refresh_token,
-        token_type: String::from("Bearer"),
-        expires_in: 60 * 15, // Todo get from auth service
-    })
+    Ok(LoginResponse::new(access_token, refresh_token))
+}
+
+#[axum::debug_handler]
+#[utoipa::path(post, path = "/auth/refresh")]
+pub async fn refresh(
+    State(state): State<AppState>,
+    Extension(user): Extension<User>,
+) -> AppResult<RefreshResponse> {
+    let access_token = state.auth_service.generate_access_token(&user)?;
+    Ok(RefreshResponse::new(access_token))
 }
diff --git a/server/src/main.rs b/server/src/main.rs
@@ -7,7 +7,6 @@ mod routes;
 mod schemas;
 mod services;
 mod state;
-mod util;
 
 use crate::state::AppState;
 
diff --git a/server/src/models/refresh_token.rs b/server/src/models/refresh_token.rs
@@ -6,7 +6,7 @@ use uuid::Uuid;
 pub struct RefreshToken {
     pub id: Uuid,
     pub user_id: Uuid,
-    pub token_hash: String,
+    pub refresh_token_hash: String,
     pub created_at: DateTime<Local>,
     pub updated_at: DateTime<Local>,
 }
diff --git a/server/src/repositories/mocks/refresh_token.rs b/server/src/repositories/mocks/refresh_token.rs
@@ -1,7 +1,7 @@
 use std::sync::{Arc, Mutex};
 
 use async_trait::async_trait;
-use chrono::DateTime;
+use chrono::{DateTime, Local};
 use uuid::Uuid;
 
 use crate::{
@@ -16,7 +16,7 @@ impl RefreshToken {
             id: Uuid::default(),
             user_id: Uuid::default(),
             // password123
-            token_hash: String::from(
+            refresh_token_hash: String::from(
                 "$argon2id$v=19$m=16,t=2,p=1$NjFWcEMwUEQ0dmZXcDMwSg$TfJtuSrudRp6hhV2mFSt3g",
             ),
             created_at: DateTime::default(),
@@ -51,10 +51,14 @@ impl RefreshTokenRepository for MockRefreshTokenRepository {
             .collect::<Vec<RefreshToken>>())
     }
 
-    async fn create(&self, user_id: Uuid, token_hash: String) -> RepositoryResult<RefreshToken> {
+    async fn create(
+        &self,
+        user_id: Uuid,
+        refresh_token_hash: String,
+    ) -> RepositoryResult<RefreshToken> {
         let mut refresh_token = RefreshToken::mock();
         refresh_token.user_id = user_id;
-        refresh_token.token_hash = token_hash;
+        refresh_token.refresh_token_hash = refresh_token_hash;
         let mut data = self.data.lock().unwrap();
         data.push(refresh_token.clone());
         Ok(refresh_token)
diff --git a/server/src/repositories/refresh_token.rs b/server/src/repositories/refresh_token.rs
@@ -29,11 +29,14 @@ impl PostgresRefreshTokenRepository {
 #[async_trait]
 impl RefreshTokenRepository for PostgresRefreshTokenRepository {
     async fn find_by_user_id(&self, id: Uuid) -> RepositoryResult<Vec<RefreshToken>> {
-        let refresh_token =
-            sqlx::query_as::<_, RefreshToken>("SELECT * FROM refresh_tokens WHERE id = $1;")
-                .bind(id)
-                .fetch_all(&self.pool)
-                .await?;
+        let query = "
+            SELECT * FROM refresh_tokens
+            WHERE id = $1;
+        ";
+        let refresh_token = sqlx::query_as::<_, RefreshToken>(query)
+            .bind(id)
+            .fetch_all(&self.pool)
+            .await?;
         Ok(refresh_token)
     }
 
@@ -42,23 +45,29 @@ impl RefreshTokenRepository for PostgresRefreshTokenRepository {
         user_id: Uuid,
         refresh_token_hash: String,
     ) -> RepositoryResult<RefreshToken> {
-        let user = sqlx::query_as::<_, RefreshToken>(
-            "INSERT INTO refresh_tokens (user_id, token_hash) VALUES ($1, $2) RETURNING *;",
-        )
-        .bind(user_id)
-        .bind(&refresh_token_hash)
-        .fetch_one(&self.pool)
-        .await?;
+        let query = "
+            INSERT INTO refresh_tokens (user_id, refresh_token_hash)
+            VALUES ($1, $2)
+            RETURNING *;
+        ";
+        let user = sqlx::query_as::<_, RefreshToken>(query)
+            .bind(user_id)
+            .bind(&refresh_token_hash)
+            .fetch_one(&self.pool)
+            .await?;
         Ok(user)
     }
 
     async fn delete(&self, id: Uuid) -> RepositoryResult<RefreshToken> {
-        let refresh_token = sqlx::query_as::<_, RefreshToken>(
-            "DELETE FROM refresh_tokens WHERE id = $1 RETURNING *;",
-        )
-        .bind(id)
-        .fetch_one(&self.pool)
-        .await?;
+        let query = "
+            DELETE FROM refresh_tokens
+            WHERE id = $1
+            RETURNING *;  
+        ";
+        let refresh_token = sqlx::query_as::<_, RefreshToken>(query)
+            .bind(id)
+            .fetch_one(&self.pool)
+            .await?;
         Ok(refresh_token)
     }
 }
diff --git a/server/src/routes/auth.rs b/server/src/routes/auth.rs
@@ -1,7 +1,12 @@
 use axum::{Router, routing::post};
 
-use crate::{handlers::auth::login, state::AppState};
+use crate::{
+    handlers::auth::{login, refresh},
+    state::AppState,
+};
 
 pub fn router() -> Router<AppState> {
-    Router::new().route("/login", post(login))
+    Router::new()
+        .route("/login", post(login))
+        .route("/refresh", post(refresh))
 }
diff --git a/server/src/schemas/token.rs b/server/src/schemas/token.rs
@@ -3,14 +3,24 @@ use axum::{
     http::{StatusCode, header},
     response::{IntoResponse, Response},
 };
-use serde::Serialize;
+use serde::{Deserialize, Serialize};
 
 #[derive(Serialize)]
 pub struct LoginResponse {
     pub access_token: String,
     pub refresh_token: String,
     pub token_type: String,
-    pub expires_in: u64,
+}
+
+impl LoginResponse {
+    pub fn new(access_token: String, refresh_token: String) -> Self {
+        let token_type = String::from("Bearer");
+        Self {
+            access_token,
+            refresh_token,
+            token_type,
+        }
+    }
 }
 
 impl IntoResponse for LoginResponse {
@@ -20,16 +30,55 @@ impl IntoResponse for LoginResponse {
             [
                 (header::CACHE_CONTROL, "no-store"),
                 (header::PRAGMA, "no-cache"),
+                (
+                    header::SET_COOKIE,
+                    &refresh_token_cookie(&self.refresh_token),
+                ),
             ],
             Json(self),
         )
             .into_response()
     }
 }
 
+#[derive(Deserialize)]
+pub struct RefreshRequest {
+    pub access_token: String,
+}
+
 #[derive(Serialize)]
 pub struct RefreshResponse {
     pub access_token: String,
     pub token_type: String,
-    pub expires_in: String,
+}
+
+impl RefreshResponse {
+    pub fn new(access_token: String) -> Self {
+        let token_type = String::from("Bearer");
+        Self {
+            access_token,
+            token_type,
+        }
+    }
+}
+
+impl IntoResponse for RefreshResponse {
+    fn into_response(self) -> Response {
+        (
+            StatusCode::OK,
+            [
+                (header::CACHE_CONTROL, "no-store"),
+                (header::PRAGMA, "no-cache"),
+            ],
+            Json(self),
+        )
+            .into_response()
+    }
+}
+
+fn refresh_token_cookie(refresh_token: &str) -> String {
+    format!(
+        "refresh_token={}; HttpOnly; Secure; SameSite=Strict",
+        refresh_token
+    )
 }
diff --git a/server/src/services/auth.rs b/server/src/services/auth.rs
@@ -3,7 +3,7 @@ use argon2::{
     password_hash::{SaltString, rand_core::OsRng},
 };
 use base64::{Engine, prelude::BASE64_URL_SAFE_NO_PAD};
-use chrono::Utc;
+use chrono::Local;
 use jsonwebtoken::{DecodingKey, EncodingKey, Header, Validation, decode, encode};
 use serde::{Deserialize, Serialize};
 use std::{
@@ -18,14 +18,12 @@ use crate::{
     repositories::{refresh_token::RefreshTokenRepository, user::UserRepository},
 };
 
-const CONFIG_FILE_PATH: &str = "Server.toml";
 const ISSUER: &str = "open-erase";
-const ACCESS_TOKEN_VALIDITY_SECS: Duration = Duration::from_secs(60 * 15);
+const ACCESS_TOKEN_VALIDITY_DURATION: Duration = Duration::from_secs(60 * 15); // 15 minutes
 const KEY_LENGTH: usize = 32;
 
-static ARGON2: LazyLock<Argon2<'static>> = LazyLock::new(|| Argon2::default());
-static ENCRYPTION_KEY: LazyLock<[u8; KEY_LENGTH]> =
-    LazyLock::new(|| generate_byte_key::<KEY_LENGTH>());
+static ARGON2: LazyLock<Argon2<'static>> = LazyLock::new(Argon2::default);
+static ENCRYPTION_KEY: LazyLock<[u8; KEY_LENGTH]> = LazyLock::new(generate_byte_key::<KEY_LENGTH>);
 
 #[derive(Clone, Serialize, Deserialize)]
 pub struct Claims {
@@ -37,8 +35,8 @@ pub struct Claims {
 
 impl Claims {
     pub fn new(user_id: Uuid) -> Self {
-        let now = Utc::now();
-        let access_token_expires_at = now + ACCESS_TOKEN_VALIDITY_SECS;
+        let now = Local::now();
+        let access_token_expires_at = now + ACCESS_TOKEN_VALIDITY_DURATION;
         let sub = user_id.to_string();
         let exp = access_token_expires_at.timestamp() as usize;
         let iat = now.timestamp() as usize;

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ use uuid::Uuid;`
`6`	`6`	`pub struct RefreshToken {`
`7`	`7`	`pub id: Uuid,`
`8`	`8`	`pub user_id: Uuid,`
`9`		`- pub token_hash: String,`
	`9`	`+ pub refresh_token_hash: String,`
`10`	`10`	`pub created_at: DateTime<Local>,`
`11`	`11`	`pub updated_at: DateTime<Local>,`
`12`	`12`	`}`