added refresh tocken

internal/auth/service.go

@@ -2,6 +2,9 @@ package auth
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"time"
@@ -16,22 +19,67 @@ var (
 	ErrInvalidCreds   = errors.New("invalid email or password")
 	ErrUserNotFound   = errors.New("user not found")
 	ErrInvalidUserID  = errors.New("invalid user ID")
+	ErrInvalidRefresh = errors.New("invalid refresh token")
+	ErrRefreshExpired = errors.New("refresh token expired")
 )
 
 type Service struct {
-	repo      *Repository
-	jwtSecret []byte
-	jwtExp    time.Duration
+	repo       *Repository
+	jwtSecret  []byte
+	jwtExp     time.Duration
+	refreshExp time.Duration
 }
 
-func NewService(repo *Repository, jwtSecret string, jwtExp time.Duration) *Service {
+func NewService(repo *Repository, jwtSecret string, jwtExp, refreshExp time.Duration) *Service {
 	return &Service{
-		repo:      repo,
-		jwtSecret: []byte(jwtSecret),
-		jwtExp:    jwtExp,
+		repo:       repo,
+		jwtSecret:  []byte(jwtSecret),
+		jwtExp:     jwtExp,
+		refreshExp: refreshExp,
 	}
 }
 
+func sha256Hex(data string) string {
+	h := sha256.Sum256([]byte(data))
+	return fmt.Sprintf("%x", h)
+}
+
+func generateRandomToken() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("failed to generate random bytes: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
+func (s *Service) issueTokenPair(ctx context.Context, user *User) (*AuthResponse, error) {
+	accessToken, err := GenerateToken(user.ID.Hex(), user.Email, s.jwtSecret, s.jwtExp)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate access token: %w", err)
+	}
+
+	rawRefresh, err := generateRandomToken()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+
+	refreshDoc := &RefreshTokenDoc{
+		UserID:    user.ID,
+		TokenHash: sha256Hex(rawRefresh),
+		ExpiresAt: time.Now().UTC().Add(s.refreshExp),
+	}
+
+	if err := s.repo.CreateRefreshToken(ctx, refreshDoc); err != nil {
+		return nil, fmt.Errorf("failed to store refresh token: %w", err)
+	}
+
+	return &AuthResponse{
+		Token:        accessToken,
+		RefreshToken: rawRefresh,
+		User:         NewUserPublic(user),
+	}, nil
+}
+
 func (s *Service) Register(ctx context.Context, req RegisterRequest) (*UserPublic, error) {
 	existing, err := s.repo.FindByEmail(ctx, req.Email)
 	if err != nil && !errors.Is(err, mongo.ErrNoDocuments) {
@@ -52,7 +100,7 @@ func (s *Service) Register(ctx context.Context, req RegisterRequest) (*UserPubli
 		PasswordHash: string(hash),
 	}
 
-	if err := s.repo.Create(ctx, user); err != nil {
+	if err := s.repo.CreateUser(ctx, user); err != nil {
 		return nil, fmt.Errorf("failed to create user: %w", err)
 	}
 
@@ -73,15 +121,35 @@ func (s *Service) Login(ctx context.Context, req LoginRequest) (*AuthResponse, e
 		return nil, ErrInvalidCreds
 	}
 
-	token, err := GenerateToken(user.ID.Hex(), user.Email, s.jwtSecret, s.jwtExp)
+	return s.issueTokenPair(ctx, user)
+}
+
+func (s *Service) Refresh(ctx context.Context, rawRefresh string) (*AuthResponse, error) {
+	hash := sha256Hex(rawRefresh)
+
+	doc, err := s.repo.FindRefreshTokenByHash(ctx, hash)
 	if err != nil {
-		return nil, fmt.Errorf("failed to generate token: %w", err)
+		if errors.Is(err, mongo.ErrNoDocuments) {
+			return nil, ErrInvalidRefresh
+		}
+		return nil, fmt.Errorf("failed to find refresh token: %w", err)
 	}
 
-	return &AuthResponse{
-		Token: token,
-		User:  NewUserPublic(user),
-	}, nil
+	if time.Now().UTC().After(doc.ExpiresAt) {
+		s.repo.DeleteRefreshToken(ctx, doc.ID)
+		return nil, ErrRefreshExpired
+	}
+
+	if err := s.repo.DeleteRefreshToken(ctx, doc.ID); err != nil {
+		return nil, fmt.Errorf("failed to delete old refresh token: %w", err)
+	}
+
+	user, err := s.repo.FindByID(ctx, doc.UserID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find user: %w", err)
+	}
+
+	return s.issueTokenPair(ctx, user)
 }
 
 func (s *Service) GetUserByID(ctx context.Context, userID string) (*UserPublic, error) {