From b0f5cefba592f6bc7166cdd5d83899dc2bbcb355 Mon Sep 17 00:00:00 2001
From: Vidhu Kant Sharma <vidhukant@vidhukant.com>
Date: Fri, 10 Oct 2025 17:29:30 +0530
Subject: added refresh token versioning

---
 auth/auth.go       |  6 ++++++
 auth/controller.go | 29 ++++++++++++++++++++++++-----
 2 files changed, 30 insertions(+), 5 deletions(-)

(limited to 'auth')

diff --git a/auth/auth.go b/auth/auth.go
index 7116a2c..4ac6445 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -26,6 +26,12 @@ type AuthClaims struct {
 	UserID uint `json:"userid"`
 }
 
+type RefreshClaims struct {
+	jwt.RegisteredClaims
+	UserID  uint `json:"userid"`
+	Version uint `json:"version"`
+}
+
 type LoginReq struct {
 	AccountName string
 	Method      string
diff --git a/auth/controller.go b/auth/controller.go
index 7e3346e..05cdd9d 100644
--- a/auth/controller.go
+++ b/auth/controller.go
@@ -103,12 +103,13 @@ func handleSignIn (ctx *gin.Context) {
 	}
 
 	refreshToken, err := jwt.NewWithClaims(jwt.SigningMethodHS256,
-		AuthClaims {
+		RefreshClaims {
 			jwt.RegisteredClaims {
 				IssuedAt: jwt.NewNumericDate(time.Now()),
 			  ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 6)),
 			},
 			u.ID,
+			u.TokenVersion,
 		},
 	).SignedString(REFRESH_KEY)
 	if err != nil {
@@ -137,13 +138,34 @@ func handleRefresh (ctx *gin.Context) {
 		return []byte(REFRESH_KEY), nil
 	})
 
-	claims, ok := tk.Claims.(*AuthClaims)
+	claims, ok := tk.Claims.(*RefreshClaims)
 	if !ok {
 		ctx.Error(errors.ErrUnauthorized)
 		ctx.Abort()
 		return
 	}
 
+	// check token version
+	var u user.User
+	err := user.GetUser(&u, claims.UserID)
+	if err != nil {
+		if err == errors.ErrNotFound {
+		  ctx.Error(errors.ErrUnauthorized)
+		  ctx.Abort()
+		  return
+		} else {
+		  ctx.Error(err)
+		  ctx.Abort()
+		  return
+		}
+	}
+	if (u.TokenVersion != claims.Version) {
+		ctx.Error(errors.ErrSessionExpired)
+		ctx.Abort()
+		return
+	}
+
+
 	if !tk.Valid {
 		eat := claims.ExpiresAt.Unix()
 		if eat != 0 && eat < time.Now().Unix() {
@@ -156,8 +178,6 @@ func handleRefresh (ctx *gin.Context) {
 		return
 	}
 
-	// TODO: if token is valid, check if user even exists before generating authToken
-
 	authToken, err := jwt.NewWithClaims(jwt.SigningMethodHS256,
 		AuthClaims {
 			jwt.RegisteredClaims {
@@ -177,6 +197,5 @@ func handleRefresh (ctx *gin.Context) {
 	ctx.JSON(http.StatusOK, gin.H{
 		"auth_token": authToken,
 		"message": "success",
-		//"data": u,
 	})
 }
-- 
cgit v1.2.3