feat: implement refresh token

Author: raphico

docs/api.md

@@ -78,3 +78,22 @@ Logs in a user, returns **JWT access_token** in JSON and sets a **refresh_token*
 **Errors**:
 
 - `401 Unauthorized` → invalid credentials
+
+### 3. Refresh Token
+
+`POST /auth/refresh`
+
+Uses the **refresh token cookie** to issue a new access token.
+
+**Response** `200 OK`:
+
+```json
+{
+  "access_token": "<NEW_JWT_TOKEN>",
+  "expires_in": 3600
+}
+```
+
+**Errors**:
+
+- `401 Unauthorized` → invalid_request/invalid_grant

internal/db/token_repository.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgconn"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/raphico/go-device-telemetry-api/internal/domain/token"
@@ -54,3 +55,71 @@ func (r *TokenRepository) Create(ctx context.Context, t *token.Token) error {
 
 	return nil
 }
+
+func (r *TokenRepository) FindValidTokenByHash(ctx context.Context, hash []byte, scope string) (*token.Token, error) {
+	t := &token.Token{}
+	query := `
+		SELECT id, token_hash, user_id, scope, revoked, expires_at, last_used_at, created_at
+		FROM tokens
+		WHERE token_hash = $1 
+			AND scope = $2
+			AND revoked = false 
+			AND expires_at > now()
+	`
+
+	err := r.db.QueryRow(ctx, query, hash, scope).Scan(
+		&t.ID,
+		&t.Hash,
+		&t.UserID,
+		&t.Scope,
+		&t.Revoked,
+		&t.ExpiresAt,
+		&t.LastUsedAt,
+		&t.CreatedAt,
+	)
+
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, token.ErrTokenNotFound
+		}
+
+		return nil, fmt.Errorf("failed to find token: %w", err)
+	}
+
+	return t, nil
+}
+
+func (r *TokenRepository) Revoke(ctx context.Context, scope string, hash []byte) error {
+	query := `
+		UPDATE tokens
+		SET revoked = true
+		WHERE token_hash = $1
+			AND scope = $2
+			AND revoked = false
+	`
+
+	tag, err := r.db.Exec(ctx, query, hash, scope)
+	if err != nil {
+		return fmt.Errorf("failed to revoke token: %w", err)
+	}
+
+	if tag.RowsAffected() == 0 {
+		return token.ErrTokenNotFound
+	}
+
+	return nil
+}
+
+func (r *TokenRepository) UpdateLastUsed(ctx context.Context, hash []byte) error {
+	query := `UPDATE tokens SET last_used_at = now() WHERE token_hash = $1 AND revoked = false`
+	tag, err := r.db.Exec(ctx, query, hash)
+	if err != nil {
+		return fmt.Errorf("failed to revoke token: %w", err)
+	}
+
+	if tag.RowsAffected() == 0 {
+		return token.ErrTokenNotFound
+	}
+
+	return nil
+}

internal/domain/token/errors.go

@@ -5,6 +5,7 @@ import "errors"
 var (
 	ErrTokenGenerationFailed = errors.New("failed to generate token")
 	ErrUserNotFound          = errors.New("user not found")
+	ErrTokenNotFound         = errors.New("token not found")
 	ErrTokenAlreadyExists    = errors.New("token already exists")
 	ErrInvalidToken          = errors.New("invalid token")
 	ErrExpiredToken          = errors.New("token expired")

internal/domain/token/repository.go

@@ -1,7 +1,12 @@
 package token
 
-import "context"
+import (
+	"context"
+)
 
 type Repository interface {
 	Create(ctx context.Context, t *Token) error
+	FindValidTokenByHash(ctx context.Context, hash []byte, scope string) (*Token, error)
+	Revoke(ctx context.Context, scope string, hash []byte) error
+	UpdateLastUsed(ctx context.Context, hash []byte) error
 }

internal/domain/token/service.go

@@ -64,3 +64,33 @@ func (s *Service) CreateRefreshToken(ctx context.Context, userId user.UserID) (*
 
 	return token, nil
 }
+
+func (s *Service) RotateTokens(ctx context.Context, refreshTok string) (string, *Token, error) {
+	hash := HashPlaintext(refreshTok)
+
+	tokenRecord, err := s.repo.FindValidTokenByHash(ctx, hash, "auth")
+	if err != nil {
+		fmt.Println(err)
+		return "", nil, err
+	}
+
+	if err := s.repo.UpdateLastUsed(ctx, hash); err != nil {
+		return "", nil, err
+	}
+
+	if err := s.repo.Revoke(ctx, "auth", tokenRecord.Hash); err != nil {
+		return "", nil, err
+	}
+
+	accessToken, err := s.GenerateAccessToken(tokenRecord.UserID)
+	if err != nil {
+		return "", nil, err
+	}
+
+	token, err := s.CreateRefreshToken(ctx, tokenRecord.UserID)
+	if err != nil {
+		return "", nil, err
+	}
+
+	return accessToken, token, nil
+}

internal/domain/token/token.go

@@ -21,7 +21,8 @@ type Token struct {
 	Scope      string
 	Revoked    bool
 	ExpiresAt  time.Time
-	LastUsedAt time.Time
+	LastUsedAt *time.Time
+	CreatedAt  time.Time
 }
 
 func NewToken(userId user.UserID, ttl time.Duration, scope string) (*Token, error) {
@@ -32,7 +33,7 @@ func NewToken(userId user.UserID, ttl time.Duration, scope string) (*Token, erro
 
 	plaintext := base64.RawURLEncoding.EncodeToString(b)
 
-	hash := sha256.Sum256([]byte(plaintext))
+	hash := HashPlaintext(plaintext)
 
 	return &Token{
 		UserID:    userId,
@@ -42,3 +43,8 @@ func NewToken(userId user.UserID, ttl time.Duration, scope string) (*Token, erro
 		Scope:     scope,
 	}, nil
 }
+
+func HashPlaintext(plaintext string) []byte {
+	hash := sha256.Sum256([]byte(plaintext))
+	return hash[:]
+}

internal/transport/http/router.go

@@ -30,6 +30,7 @@ func NewRouter(log *logger.Logger, userHandler *UserHandler) http.Handler {
 		r.Route("/auth", func(r chi.Router) {
 			r.Post("/register", userHandler.RegisterUser)
 			r.Post("/login", userHandler.LoginUser)
+			r.Post("/refresh", userHandler.RefreshAccessToken)
 		})
 	})
 

internal/transport/http/user_handler.go

@@ -93,7 +93,7 @@ type loginUserRequest struct {
 	Password string `json:"password"`
 }
 
-type loginUserResponse struct {
+type tokenResponse struct {
 	AccessToken string `json:"access_token"`
 	ExpiresIn   int    `json:"expires_in"`
 }
@@ -113,13 +113,13 @@ func (h *UserHandler) LoginUser(w http.ResponseWriter, r *http.Request) {
 
 	accessToken, err := h.tokenService.GenerateAccessToken(user.ID)
 	if err != nil {
-		WriteJSONError(w, http.StatusInternalServerError, "server_error", "failed to generate access token")
+		WriteJSONError(w, http.StatusInternalServerError, "internal_error", "failed to generate access token")
 		return
 	}
 
 	refreshToken, err := h.tokenService.CreateRefreshToken(r.Context(), user.ID)
 	if err != nil {
-		WriteJSONError(w, http.StatusInternalServerError, "server_error", "failed to create refresh token")
+		WriteJSONError(w, http.StatusInternalServerError, "internal_error", "failed to create refresh token")
 		return
 	}
 
@@ -138,7 +138,45 @@ func (h *UserHandler) LoginUser(w http.ResponseWriter, r *http.Request) {
 	}
 	http.SetCookie(w, cookie)
 
-	resp := &loginUserResponse{
+	resp := tokenResponse{
+		AccessToken: accessToken,
+		ExpiresIn:   int(h.cfg.AccessTokenTTL.Seconds()),
+	}
+
+	WriteJSON(w, http.StatusOK, resp)
+}
+
+func (h *UserHandler) RefreshAccessToken(w http.ResponseWriter, r *http.Request) {
+	cookie, err := r.Cookie("refresh_token")
+	if err != nil {
+		WriteJSONError(w, http.StatusUnauthorized, "invalid_request", "refresh token missing")
+		return
+	}
+
+	refreshTok := cookie.Value
+
+	accessToken, refreshToken, err := h.tokenService.RotateTokens(r.Context(), refreshTok)
+	if err != nil {
+		WriteJSONError(w, http.StatusUnauthorized, "invalid_grant", "invalid or expired refresh token")
+		return
+	}
+
+	cookie = &http.Cookie{
+		Name:     "refresh_token",
+		Value:    refreshToken.Plaintext,
+		Path:     "/",
+		HttpOnly: true,
+		Expires:  refreshToken.ExpiresAt,
+		SameSite: http.SameSiteLaxMode,
+	}
+	if h.cfg.Env == "production" {
+		cookie.Secure = true
+	} else {
+		cookie.Secure = false
+	}
+	http.SetCookie(w, cookie)
+
+	resp := tokenResponse{
 		AccessToken: accessToken,
 		ExpiresIn:   int(h.cfg.AccessTokenTTL.Seconds()),
 	}