add refresh tokens

2026-03-22 16:48:58 -05:00
parent 31db3bc58c
commit 74307e614c
7 changed files with 497 additions and 3 deletions
--- a/api/src/Controllers/AuthController.cs
+++ b/api/src/Controllers/AuthController.cs
@@ -51,9 +51,18 @@ public class AuthController : ControllerBase {

        if(!result.Succeeded) return Unauthorized();

-        var token = jwt_.GenerateJwt(user);
+        var accessToken = jwt_.GenerateJwt(user);
+        var refreshToken = jwt_.GenerateRefreshToken();
+        RefreshToken newTokenObject = new RefreshToken {
+            Token = refreshToken,
+            UserId = user.Id,
+            CreatedAt = DateTime.UtcNow,
+            ExpiresAt = DateTime.UtcNow.AddDays(30),
+            IsRevoked = false
+        };
+        await jwt_.AddRefreshToken(newTokenObject);

-        return Ok(new { token });
+        return Ok(new { accessToken, refreshToken });
    }

    [Authorize] // authorize is handled by middleware
@@ -65,6 +74,37 @@ public class AuthController : ControllerBase {
        return Ok();
    }

+    [HttpPost("refresh")] // allow-anonymous by default
+    public async Task<ActionResult> Refresh(TokenDto request) {
+        
+        RefreshToken? storedToken = await jwt_.GetRefreshToken(request.RefreshToken);
+        if (storedToken == null) return Unauthorized();
+        bool valid = (storedToken.IsRevoked) ||
+                     (storedToken.ExpiresAt < DateTime.UtcNow);
+        if(!valid) return Unauthorized(); // TODO: delete the invalid token
+
+        User? user = await jwt_.GetUser(storedToken.UserId);
+        if(user == null) return NotFound();
+        string? newAccessToken = jwt_.GenerateJwt(user);
+        if(newAccessToken == null) return NotFound();
+        string newRefreshToken = jwt_.GenerateRefreshToken();
+
+        storedToken.IsRevoked = true;
+        RefreshToken newTokenObject = new RefreshToken {
+            Token = newRefreshToken,
+            UserId = storedToken.UserId,
+            CreatedAt = DateTime.UtcNow,
+            ExpiresAt = DateTime.UtcNow.AddDays(30),
+            IsRevoked = false
+        };
+
+        await jwt_.AddRefreshToken(newTokenObject);
+
+        return Ok(new { accessToken = newAccessToken, refreshToken = newRefreshToken });
+
+
+    }
+
    // TODO
    // refresh tokens
    // email verification