added refresh tocken

internal/auth/handler.go

@@ -71,6 +71,36 @@ func (h *Handler) Login(c *gin.Context) {
 	c.JSON(http.StatusOK, resp)
 }
 
+// @Summary      Refresh epta token
+// @Description  Get a new access token using a refresh token
+// @Tags         auth
+// @Accept       json
+// @Produce      json
+// @Param        request  body  RefreshRequest  true  "Refresh token"
+// @Success      200  {object}  AuthResponse
+// @Failure      400  {object}  ErrorResponse
+// @Failure      401  {object}  ErrorResponse
+// @Router       /api/auth/refresh [post]
+func (h *Handler) Refresh(c *gin.Context) {
+	var req RefreshRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, ErrorResponse{Error: err.Error()})
+		return
+	}
+
+	resp, err := h.service.Refresh(c.Request.Context(), req.RefreshToken)
+	if err != nil {
+		if errors.Is(err, ErrInvalidRefresh) || errors.Is(err, ErrRefreshExpired) {
+			c.JSON(http.StatusUnauthorized, ErrorResponse{Error: err.Error()})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, ErrorResponse{Error: "internal server error"})
+		return
+	}
+
+	c.JSON(http.StatusOK, resp)
+}
+
 // @Summary      Epta get current user
 // @Description  Get authenticated user's profile
 // @Tags         auth

internal/auth/models.go

@@ -26,8 +26,21 @@ type LoginRequest struct {
 }
 
 type AuthResponse struct {
-	Token string     `json:"token" example:"eyJhbGciOiJIUzI1NiIs..."`
-	User  UserPublic `json:"user"`
+	Token        string     `json:"token" example:"eyJhbGciOiJIUzI1NiIs..."`
+	RefreshToken string     `json:"refresh_token" example:"dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4="`
+	User         UserPublic `json:"user"`
+}
+
+type RefreshRequest struct {
+	RefreshToken string `json:"refresh_token" binding:"required" example:"dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4="`
+}
+
+type RefreshTokenDoc struct {
+	ID        bson.ObjectID `json:"id" bson:"_id"`
+	UserID    bson.ObjectID `json:"user_id" bson:"user_id"`
+	TokenHash string        `json:"token_hash" bson:"token_hash"`
+	ExpiresAt time.Time     `json:"expires_at" bson:"expires_at"`
+	CreatedAt time.Time     `json:"created_at" bson:"created_at"`
 }
 
 type UserPublic struct {

internal/auth/repository.go

@@ -10,33 +10,49 @@ import (
 )
 
 type Repository struct {
-	collection *mongo.Collection
+	usersCollection         *mongo.Collection
+	refreshTokensCollection *mongo.Collection
 }
 
 func NewRepository(db *mongo.Database) *Repository {
 	return &Repository{
-		collection: db.Collection("users"),
+		usersCollection:         db.Collection("users"),
+		refreshTokensCollection: db.Collection("refresh_tokens"),
 	}
 }
 
 func (r *Repository) EnsureIndexes(ctx context.Context) error {
-	_, err := r.collection.Indexes().CreateOne(ctx, mongo.IndexModel{
+	_, err := r.usersCollection.Indexes().CreateOne(ctx, mongo.IndexModel{
 		Keys:    bson.D{{Key: "email", Value: 1}},
 		Options: options.Index().SetUnique(true),
 	})
+	if err != nil {
+		return err
+	}
+
+	_, err = r.refreshTokensCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
+		{
+			Keys:    bson.D{{Key: "token_hash", Value: 1}},
+			Options: options.Index().SetUnique(true),
+		},
+		{
+			Keys:    bson.D{{Key: "expires_at", Value: 1}},
+			Options: options.Index().SetExpireAfterSeconds(0),
+		},
+	})
 	return err
 }
 
-func (r *Repository) Create(ctx context.Context, user *User) error {
+func (r *Repository) CreateUser(ctx context.Context, user *User) error {
 	user.ID = bson.NewObjectID()
 	user.CreatedAt = time.Now().UTC()
-	_, err := r.collection.InsertOne(ctx, user)
+	_, err := r.usersCollection.InsertOne(ctx, user)
 	return err
 }
 
 func (r *Repository) FindByEmail(ctx context.Context, email string) (*User, error) {
 	var user User
-	err := r.collection.FindOne(ctx, bson.M{"email": email}).Decode(&user)
+	err := r.usersCollection.FindOne(ctx, bson.M{"email": email}).Decode(&user)
 	if err != nil {
 		return nil, err
 	}
@@ -45,9 +61,32 @@ func (r *Repository) FindByEmail(ctx context.Context, email string) (*User, erro
 
 func (r *Repository) FindByID(ctx context.Context, id bson.ObjectID) (*User, error) {
 	var user User
-	err := r.collection.FindOne(ctx, bson.M{"_id": id}).Decode(&user)
+	err := r.usersCollection.FindOne(ctx, bson.M{"_id": id}).Decode(&user)
 	if err != nil {
 		return nil, err
 	}
 	return &user, nil
 }
+
+//Refresh
+
+func (r *Repository) CreateRefreshToken(ctx context.Context, doc *RefreshTokenDoc) error {
+	doc.ID = bson.NewObjectID()
+	doc.CreatedAt = time.Now().UTC()
+	_, err := r.refreshTokensCollection.InsertOne(ctx, doc)
+	return err
+}
+
+func (r *Repository) FindRefreshTokenByHash(ctx context.Context, hash string) (*RefreshTokenDoc, error) {
+	var doc RefreshTokenDoc
+	err := r.refreshTokensCollection.FindOne(ctx, bson.M{"token_hash": hash}).Decode(&doc)
+	if err != nil {
+		return nil, err
+	}
+	return &doc, nil
+}
+
+func (r *Repository) DeleteRefreshToken(ctx context.Context, id bson.ObjectID) error {
+	_, err := r.refreshTokensCollection.DeleteOne(ctx, bson.M{"_id": id})
+	return err
+}

internal/auth/service.go

@@ -2,6 +2,9 @@ package auth
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"time"
@@ -16,22 +19,67 @@ var (
 	ErrInvalidCreds   = errors.New("invalid email or password")
 	ErrUserNotFound   = errors.New("user not found")
 	ErrInvalidUserID  = errors.New("invalid user ID")
+	ErrInvalidRefresh = errors.New("invalid refresh token")
+	ErrRefreshExpired = errors.New("refresh token expired")
 )
 
 type Service struct {
-	repo      *Repository
-	jwtSecret []byte
-	jwtExp    time.Duration
+	repo       *Repository
+	jwtSecret  []byte
+	jwtExp     time.Duration
+	refreshExp time.Duration
 }
 
-func NewService(repo *Repository, jwtSecret string, jwtExp time.Duration) *Service {
+func NewService(repo *Repository, jwtSecret string, jwtExp, refreshExp time.Duration) *Service {
 	return &Service{
-		repo:      repo,
-		jwtSecret: []byte(jwtSecret),
-		jwtExp:    jwtExp,
+		repo:       repo,
+		jwtSecret:  []byte(jwtSecret),
+		jwtExp:     jwtExp,
+		refreshExp: refreshExp,
 	}
 }
 
+func sha256Hex(data string) string {
+	h := sha256.Sum256([]byte(data))
+	return fmt.Sprintf("%x", h)
+}
+
+func generateRandomToken() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("failed to generate random bytes: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
+func (s *Service) issueTokenPair(ctx context.Context, user *User) (*AuthResponse, error) {
+	accessToken, err := GenerateToken(user.ID.Hex(), user.Email, s.jwtSecret, s.jwtExp)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate access token: %w", err)
+	}
+
+	rawRefresh, err := generateRandomToken()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+
+	refreshDoc := &RefreshTokenDoc{
+		UserID:    user.ID,
+		TokenHash: sha256Hex(rawRefresh),
+		ExpiresAt: time.Now().UTC().Add(s.refreshExp),
+	}
+
+	if err := s.repo.CreateRefreshToken(ctx, refreshDoc); err != nil {
+		return nil, fmt.Errorf("failed to store refresh token: %w", err)
+	}
+
+	return &AuthResponse{
+		Token:        accessToken,
+		RefreshToken: rawRefresh,
+		User:         NewUserPublic(user),
+	}, nil
+}
+
 func (s *Service) Register(ctx context.Context, req RegisterRequest) (*UserPublic, error) {
 	existing, err := s.repo.FindByEmail(ctx, req.Email)
 	if err != nil && !errors.Is(err, mongo.ErrNoDocuments) {
@@ -52,7 +100,7 @@ func (s *Service) Register(ctx context.Context, req RegisterRequest) (*UserPubli
 		PasswordHash: string(hash),
 	}
 
-	if err := s.repo.Create(ctx, user); err != nil {
+	if err := s.repo.CreateUser(ctx, user); err != nil {
 		return nil, fmt.Errorf("failed to create user: %w", err)
 	}
 
@@ -73,15 +121,35 @@ func (s *Service) Login(ctx context.Context, req LoginRequest) (*AuthResponse, e
 		return nil, ErrInvalidCreds
 	}
 
-	token, err := GenerateToken(user.ID.Hex(), user.Email, s.jwtSecret, s.jwtExp)
+	return s.issueTokenPair(ctx, user)
+}
+
+func (s *Service) Refresh(ctx context.Context, rawRefresh string) (*AuthResponse, error) {
+	hash := sha256Hex(rawRefresh)
+
+	doc, err := s.repo.FindRefreshTokenByHash(ctx, hash)
 	if err != nil {
-		return nil, fmt.Errorf("failed to generate token: %w", err)
+		if errors.Is(err, mongo.ErrNoDocuments) {
+			return nil, ErrInvalidRefresh
+		}
+		return nil, fmt.Errorf("failed to find refresh token: %w", err)
 	}
 
-	return &AuthResponse{
-		Token: token,
-		User:  NewUserPublic(user),
-	}, nil
+	if time.Now().UTC().After(doc.ExpiresAt) {
+		s.repo.DeleteRefreshToken(ctx, doc.ID)
+		return nil, ErrRefreshExpired
+	}
+
+	if err := s.repo.DeleteRefreshToken(ctx, doc.ID); err != nil {
+		return nil, fmt.Errorf("failed to delete old refresh token: %w", err)
+	}
+
+	user, err := s.repo.FindByID(ctx, doc.UserID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find user: %w", err)
+	}
+
+	return s.issueTokenPair(ctx, user)
 }
 
 func (s *Service) GetUserByID(ctx context.Context, userID string) (*UserPublic, error) {