HellreigN/Control-plane
5
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

added refresh tocken

Browse Source
This commit is contained in:
Mephimeow
2026-06-12 10:01:21 +00:00
committed by zero@thinky
parent 321cba3f9b
commit a822d8c3b6
10 changed files with 362 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/handler.go
+30
View File
@@ -71,6 +71,36 @@ func (h *Handler) Login(c *gin.Context) {
c.JSON(http.StatusOK, resp)
}
// @Summary Refresh epta token
// @Description Get a new access token using a refresh token
// @Tags auth
// @Accept json
// @Produce json
// @Param request body RefreshRequest true "Refresh token"
// @Success 200 {object} AuthResponse
// @Failure 400 {object} ErrorResponse
// @Failure 401 {object} ErrorResponse
// @Router /api/auth/refresh [post]
func (h *Handler) Refresh(c *gin.Context) {
var req RefreshRequest
if err := c.ShouldBindJSON(&req); err != nil {
c.JSON(http.StatusBadRequest, ErrorResponse{Error: err.Error()})
return
}
resp, err := h.service.Refresh(c.Request.Context(), req.RefreshToken)
if err != nil {
if errors.Is(err, ErrInvalidRefresh) || errors.Is(err, ErrRefreshExpired) {
c.JSON(http.StatusUnauthorized, ErrorResponse{Error: err.Error()})
return
}
c.JSON(http.StatusInternalServerError, ErrorResponse{Error: "internal server error"})
return
}
c.JSON(http.StatusOK, resp)
}
// @Summary Epta get current user
// @Description Get authenticated user's profile
// @Tags auth
internal/auth/models.go
+15 -2
View File
@@ -26,8 +26,21 @@ type LoginRequest struct {
}
type AuthResponse struct {
Token string `json:"token" example:"eyJhbGciOiJIUzI1NiIs..."`
User UserPublic `json:"user"`
Token string `json:"token" example:"eyJhbGciOiJIUzI1NiIs..."`
RefreshToken string `json:"refresh_token" example:"dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4="`
User UserPublic `json:"user"`
}
type RefreshRequest struct {
RefreshToken string `json:"refresh_token" binding:"required" example:"dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4="`
}
type RefreshTokenDoc struct {
ID bson.ObjectID `json:"id" bson:"_id"`
UserID bson.ObjectID `json:"user_id" bson:"user_id"`
TokenHash string `json:"token_hash" bson:"token_hash"`
ExpiresAt time.Time `json:"expires_at" bson:"expires_at"`
CreatedAt time.Time `json:"created_at" bson:"created_at"`
}
type UserPublic struct {
internal/auth/repository.go
+46 -7
View File
@@ -10,33 +10,49 @@ import (
)
type Repository struct {
collection *mongo.Collection
usersCollection *mongo.Collection
refreshTokensCollection *mongo.Collection
}
func NewRepository(db *mongo.Database) *Repository {
return &Repository{
collection: db.Collection("users"),
usersCollection: db.Collection("users"),
refreshTokensCollection: db.Collection("refresh_tokens"),
}
}
func (r *Repository) EnsureIndexes(ctx context.Context) error {
_, err := r.collection.Indexes().CreateOne(ctx, mongo.IndexModel{
_, err := r.usersCollection.Indexes().CreateOne(ctx, mongo.IndexModel{
Keys: bson.D{{Key: "email", Value: 1}},
Options: options.Index().SetUnique(true),
})
if err != nil {
return err
}
_, err = r.refreshTokensCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
{
Keys: bson.D{{Key: "token_hash", Value: 1}},
Options: options.Index().SetUnique(true),
},
{
Keys: bson.D{{Key: "expires_at", Value: 1}},
Options: options.Index().SetExpireAfterSeconds(0),
},
})
return err
}
func (r *Repository) Create(ctx context.Context, user *User) error {
func (r *Repository) CreateUser(ctx context.Context, user *User) error {
user.ID = bson.NewObjectID()
user.CreatedAt = time.Now().UTC()
_, err := r.collection.InsertOne(ctx, user)
_, err := r.usersCollection.InsertOne(ctx, user)
return err
}
func (r *Repository) FindByEmail(ctx context.Context, email string) (*User, error) {
var user User
err := r.collection.FindOne(ctx, bson.M{"email": email}).Decode(&user)
err := r.usersCollection.FindOne(ctx, bson.M{"email": email}).Decode(&user)
if err != nil {
return nil, err
}
@@ -45,9 +61,32 @@ func (r *Repository) FindByEmail(ctx context.Context, email string) (*User, erro
func (r *Repository) FindByID(ctx context.Context, id bson.ObjectID) (*User, error) {
var user User
err := r.collection.FindOne(ctx, bson.M{"_id": id}).Decode(&user)
err := r.usersCollection.FindOne(ctx, bson.M{"_id": id}).Decode(&user)
if err != nil {
return nil, err
}
return &user, nil
}
//Refresh
func (r *Repository) CreateRefreshToken(ctx context.Context, doc *RefreshTokenDoc) error {
doc.ID = bson.NewObjectID()
doc.CreatedAt = time.Now().UTC()
_, err := r.refreshTokensCollection.InsertOne(ctx, doc)
return err
}
func (r *Repository) FindRefreshTokenByHash(ctx context.Context, hash string) (*RefreshTokenDoc, error) {
var doc RefreshTokenDoc
err := r.refreshTokensCollection.FindOne(ctx, bson.M{"token_hash": hash}).Decode(&doc)
if err != nil {
return nil, err
}
return &doc, nil
}
func (r *Repository) DeleteRefreshToken(ctx context.Context, id bson.ObjectID) error {
_, err := r.refreshTokensCollection.DeleteOne(ctx, bson.M{"_id": id})
return err
}
internal/auth/service.go
+82 -14
View File
@@ -2,6 +2,9 @@ package auth
import (
"context"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
"time"
@@ -16,22 +19,67 @@ var (
ErrInvalidCreds = errors.New("invalid email or password")
ErrUserNotFound = errors.New("user not found")
ErrInvalidUserID = errors.New("invalid user ID")
ErrInvalidRefresh = errors.New("invalid refresh token")
ErrRefreshExpired = errors.New("refresh token expired")
)
type Service struct {
repo *Repository
jwtSecret []byte
jwtExp time.Duration
repo *Repository
jwtSecret []byte
jwtExp time.Duration
refreshExp time.Duration
}
func NewService(repo *Repository, jwtSecret string, jwtExp time.Duration) *Service {
func NewService(repo *Repository, jwtSecret string, jwtExp, refreshExp time.Duration) *Service {
return &Service{
repo: repo,
jwtSecret: []byte(jwtSecret),
jwtExp: jwtExp,
repo: repo,
jwtSecret: []byte(jwtSecret),
jwtExp: jwtExp,
refreshExp: refreshExp,
}
}
func sha256Hex(data string) string {
h := sha256.Sum256([]byte(data))
return fmt.Sprintf("%x", h)
}
func generateRandomToken() (string, error) {
b := make([]byte, 32)
if _, err := rand.Read(b); err != nil {
return "", fmt.Errorf("failed to generate random bytes: %w", err)
}
return base64.RawURLEncoding.EncodeToString(b), nil
}
func (s *Service) issueTokenPair(ctx context.Context, user *User) (*AuthResponse, error) {
accessToken, err := GenerateToken(user.ID.Hex(), user.Email, s.jwtSecret, s.jwtExp)
if err != nil {
return nil, fmt.Errorf("failed to generate access token: %w", err)
}
rawRefresh, err := generateRandomToken()
if err != nil {
return nil, fmt.Errorf("failed to generate refresh token: %w", err)
}
refreshDoc := &RefreshTokenDoc{
UserID: user.ID,
TokenHash: sha256Hex(rawRefresh),
ExpiresAt: time.Now().UTC().Add(s.refreshExp),
}
if err := s.repo.CreateRefreshToken(ctx, refreshDoc); err != nil {
return nil, fmt.Errorf("failed to store refresh token: %w", err)
}
return &AuthResponse{
Token: accessToken,
RefreshToken: rawRefresh,
User: NewUserPublic(user),
}, nil
}
func (s *Service) Register(ctx context.Context, req RegisterRequest) (*UserPublic, error) {
existing, err := s.repo.FindByEmail(ctx, req.Email)
if err != nil && !errors.Is(err, mongo.ErrNoDocuments) {
@@ -52,7 +100,7 @@ func (s *Service) Register(ctx context.Context, req RegisterRequest) (*UserPubli
PasswordHash: string(hash),
}
if err := s.repo.Create(ctx, user); err != nil {
if err := s.repo.CreateUser(ctx, user); err != nil {
return nil, fmt.Errorf("failed to create user: %w", err)
}
@@ -73,15 +121,35 @@ func (s *Service) Login(ctx context.Context, req LoginRequest) (*AuthResponse, e
return nil, ErrInvalidCreds
}
token, err := GenerateToken(user.ID.Hex(), user.Email, s.jwtSecret, s.jwtExp)
return s.issueTokenPair(ctx, user)
}
func (s *Service) Refresh(ctx context.Context, rawRefresh string) (*AuthResponse, error) {
hash := sha256Hex(rawRefresh)
doc, err := s.repo.FindRefreshTokenByHash(ctx, hash)
if err != nil {
return nil, fmt.Errorf("failed to generate token: %w", err)
if errors.Is(err, mongo.ErrNoDocuments) {
return nil, ErrInvalidRefresh
}
return nil, fmt.Errorf("failed to find refresh token: %w", err)
}
return &AuthResponse{
Token: token,
User: NewUserPublic(user),
}, nil
if time.Now().UTC().After(doc.ExpiresAt) {
s.repo.DeleteRefreshToken(ctx, doc.ID)
return nil, ErrRefreshExpired
}
if err := s.repo.DeleteRefreshToken(ctx, doc.ID); err != nil {
return nil, fmt.Errorf("failed to delete old refresh token: %w", err)
}
user, err := s.repo.FindByID(ctx, doc.UserID)
if err != nil {
return nil, fmt.Errorf("failed to find user: %w", err)
}
return s.issueTokenPair(ctx, user)
}
func (s *Service) GetUserByID(ctx context.Context, userID string) (*UserPublic, error) {
internal/config/config.go
+20 -10
View File
@@ -9,22 +9,24 @@ import (
)
type Config struct {
ServerPort string
MongoURI string
MongoDB string
JWTSecret string
JWTExpiration time.Duration
ServerPort string
MongoURI string
MongoDB string
JWTSecret string
JWTExpiration time.Duration
JWTRefreshExpiration time.Duration
}
func Load() (*Config, error) {
godotenv.Load()
cfg := &Config{
ServerPort: getEnv("SERVER_PORT", "8080"),
MongoURI: getEnv("MONGO_URI", "mongodb://localhost:27017"),
MongoDB: getEnv("MONGO_DB", "aegisguard"),
JWTSecret: getEnv("JWT_SECRET", ""),
JWTExpiration: 24 * time.Hour,
ServerPort: getEnv("SERVER_PORT", "8080"),
MongoURI: getEnv("MONGO_URI", "mongodb://localhost:27017"),
MongoDB: getEnv("MONGO_DB", "aegisguard"),
JWTSecret: getEnv("JWT_SECRET", ""),
JWTExpiration: 24 * time.Hour,
JWTRefreshExpiration: 7 * 24 * time.Hour,
}
if cfg.JWTSecret == "" {
@@ -39,6 +41,14 @@ func Load() (*Config, error) {
cfg.JWTExpiration = d
}
if expStr := os.Getenv("JWT_REFRESH_EXPIRATION"); expStr != "" {
d, err := time.ParseDuration(expStr)
if err != nil {
return nil, fmt.Errorf("invalid JWT_REFRESH_EXPIRATION: %w", err)
}
cfg.JWTRefreshExpiration = d
}
return cfg, nil
}