Issue #52 refresh token endpoint (#55)

Author: bakhterets

Diff for: app

@@ -98,6 +98,10 @@ func (p *Provider) revokeToken(refreshToken string) error {
 	return p.kc.revokeToken(refreshToken)
 }
 
+func (p *Provider) refreshToken(refreshToken string) (*TokenRepr, error) {
+	return p.kc.refreshToken(refreshToken)
+}
+
 func GetLoginPageHandler(prov *Provider, logger *zap.Logger) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		logger.Info("start to process login page request")
@@ -227,3 +231,35 @@ func PutLogoutHandler(prov *Provider, logger *zap.Logger) gin.HandlerFunc {
 		c.Status(http.StatusNoContent)
 	}
 }
+
+type RefreshTokenReq struct {
+	RefreshToken string `json:"refresh_token"`
+}
+
+func PostRefreshHandler(prov *Provider, logger *zap.Logger) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		logger.Info("start processing refresh token request")
+
+		var req RefreshTokenReq
+		err := c.ShouldBindJSON(&req)
+		if err != nil {
+			apiErrors.RaiseBadRequestErr(c, apiErrors.ErrAuthMissingRefreshToken)
+			return
+		}
+
+		token, err := prov.refreshToken(req.RefreshToken)
+		if err != nil {
+			var keycloakErrorResponse KeycloakExternalError
+			switch {
+			case errors.As(err, &keycloakErrorResponse):
+				apiErrors.RaiseBadRequestErr(c, keycloakErrorResponse)
+			default:
+				logger.Error("failed to refresh token", zap.Error(err))
+				apiErrors.RaiseInternalErr(c, apiErrors.ErrAuthFailedRefreshToken)
+			}
+
+			return
+		}
+		c.JSON(http.StatusOK, token)
+	}
+}

Diff for: internal/api/auth/auth.go

@@ -162,3 +162,39 @@ func (kc *Keycloak) revokeToken(refreshToken string) error {
 
 	return nil
 }
+
+func (kc *Keycloak) refreshToken(refreshToken string) (*TokenRepr, error) {
+	data := url.Values{}
+	data.Set("grant_type", "refresh_token")
+	data.Set("client_id", kc.clientID)
+	data.Set("client_secret", kc.clientSecret)
+	data.Set("refresh_token", refreshToken)
+
+	req, err := http.NewRequest(http.MethodPost, kc.tokenURL, strings.NewReader(data.Encode())) //nolint:noctx
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := kc.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 && resp.StatusCode < 500 {
+		var errResp KeycloakExternalError
+		if err = json.NewDecoder(resp.Body).Decode(&errResp); err != nil {
+			return nil, err
+		}
+
+		return nil, errResp
+	}
+
+	var token TokenRepr
+	if err = json.NewDecoder(resp.Body).Decode(&token); err != nil {
+		return nil, err
+	}
+
+	return &token, nil
+}

Diff for: internal/api/auth/keycloak.go

@@ -11,3 +11,5 @@ var ErrAuthExchangeToken = errors.New("failed to exchange token")
 var ErrAuthWrongCodeVerifier = errors.New("failed to extract code verifier")
 var ErrAuthMissingDataForCodeVerifier = errors.New("missing data for code verifier")
 var ErrAuthMissingRefreshToken = errors.New("refresh token is missing")
+var ErrAuthFailedRefreshToken = errors.New("failed to refresh token")
+var ErrAuthExpiredRefreshToken = errors.New("refresh token has expired or is invalid")

Diff for: internal/api/errors/auth.go

@@ -29,17 +29,17 @@ func Return404(c *gin.Context) {
 
 func RaiseInternalErr(c *gin.Context, err error) {
 	intErr := fmt.Errorf("%w: %w", ErrInternalError, err)
-	_ = c.AbortWithError(http.StatusInternalServerError, ReturnError(intErr))
+	c.AbortWithStatusJSON(http.StatusInternalServerError, ReturnError(intErr))
 }
 
 func RaiseBadRequestErr(c *gin.Context, err error) {
-	_ = c.AbortWithError(http.StatusBadRequest, ReturnError(err))
+	c.AbortWithStatusJSON(http.StatusBadRequest, ReturnError(err))
 }
 
 func RaiseStatusNotFoundErr(c *gin.Context, err error) {
-	_ = c.AbortWithError(http.StatusNotFound, ReturnError(err))
+	c.AbortWithStatusJSON(http.StatusNotFound, ReturnError(err))
 }
 
 func RaiseNotAuthorizedErr(c *gin.Context, err error) {
-	_ = c.AbortWithError(http.StatusUnauthorized, ReturnError(err))
+	c.AbortWithStatusJSON(http.StatusUnauthorized, ReturnError(err))
 }

Diff for: internal/api/errors/errors.go

@@ -20,6 +20,7 @@ func (a *API) InitRoutes() {
 		authAPI.GET("callback", auth.GetCallbackHandler(a.oa2Prov, a.log))
 		authAPI.POST("token", auth.PostTokenHandler(a.oa2Prov, a.log))
 		authAPI.PUT("logout", auth.PutLogoutHandler(a.oa2Prov, a.log))
+		authAPI.POST("refresh", auth.PostRefreshHandler(a.oa2Prov, a.log))
 	}
 
 	v1API := a.r.Group(v1Group)

Diff for: internal/api/routes.go

@@ -111,7 +111,30 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/BadRequestGeneralError'
-
+  /auth/refresh:
+    post:
+      summary: Refresh an access token using a refresh token.
+      tags:
+        - authentication
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TokenRefreshRequest'
+        required: true
+      responses:
+        '200':
+          description: Return new access and refresh tokens.
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/TokenPostResponse'
+        '400':
+          description: The request is invalid.
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/BadRequestGeneralError'
   /v2/components:
     get:
       summary: Get all components.
@@ -358,6 +381,14 @@ components:
       properties:
         refresh_token:
           type: string
+    TokenRefreshRequest:
+      type: object
+      required:
+        - refresh_token
+      properties:
+        refresh_token:
+          type: string
+          example: "eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjOTBjZjFhOC1kNjcxLTRjNzktYTBlYi0yYmI3Y2M2NThiNzIifQ..."
     Component:
       type: object
       required: