93 lines
2.2 KiB
Go
93 lines
2.2 KiB
Go
package routes
|
|
|
|
import (
|
|
"bssapp-backend/auth"
|
|
"bssapp-backend/internal/security"
|
|
"bssapp-backend/repository"
|
|
"database/sql"
|
|
"encoding/json"
|
|
"net/http"
|
|
"time"
|
|
)
|
|
|
|
func setRefreshCookie(w http.ResponseWriter, plain string, exp time.Time) {
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "mk_refresh",
|
|
Value: plain,
|
|
Path: "/",
|
|
Expires: exp,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
Secure: false, // prod: true
|
|
})
|
|
}
|
|
|
|
func AuthRefreshHandler(db *sql.DB) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
// 1) refresh cookie
|
|
c, err := r.Cookie("mk_refresh")
|
|
if err != nil || c.Value == "" {
|
|
http.Error(w, "refresh token missing", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
hash := security.HashRefreshToken(c.Value)
|
|
rtRepo := repository.NewRefreshTokenRepository(db)
|
|
|
|
// 2) validate + consume
|
|
mkUserID, err := rtRepo.ConsumeValid(hash)
|
|
if err != nil {
|
|
http.Error(w, "refresh token invalid", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
// 3) rotate
|
|
newPlain, newHash, err := security.GenerateRefreshToken()
|
|
if err != nil {
|
|
http.Error(w, "refresh gen failed", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
refreshExp := time.Now().Add(14 * 24 * time.Hour)
|
|
if err := rtRepo.IssueRefreshToken(mkUserID, newHash, refreshExp); err != nil {
|
|
http.Error(w, "refresh store failed", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
setRefreshCookie(w, newPlain, refreshExp)
|
|
|
|
// 4) mk user reload
|
|
mkRepo := repository.NewMkUserRepository(db)
|
|
mkUser, err := mkRepo.GetByID(mkUserID)
|
|
if err != nil || !mkUser.IsActive {
|
|
http.Error(w, "user invalid", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
if mkUser.ForcePasswordChange {
|
|
http.Error(w, "password change required", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// 5) new access token
|
|
claims := auth.BuildClaimsFromUser(mkUser, 15*time.Minute)
|
|
|
|
token, err := auth.GenerateToken(
|
|
claims,
|
|
mkUser.Username,
|
|
mkUser.ForcePasswordChange,
|
|
)
|
|
if err != nil {
|
|
http.Error(w, "access token gen failed", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// 6) response
|
|
_ = json.NewEncoder(w).Encode(map[string]any{
|
|
"success": true,
|
|
"token": token,
|
|
})
|
|
|
|
}
|
|
}
|