feat(auth): refresh tokens + remember me

Backend: add refresh JWT (30d, token_type claim), POST /auth/refresh endpoint (rotates token pair), remember_me on login, JWT_REFRESH_EXPIRY_DAYS env var. Extractors now reject refresh tokens on protected routes. Frontend: sessionStorage for non-remembered sessions, localStorage + refresh token for remembered sessions. Transparent 401 recovery in api.ts (retry once after refresh). Remember me checkbox on login page with security note when checked.
2026-03-19 22:24:26 +01:00
parent 8bdd5e2277
commit d2412da057
13 changed files with 307 additions and 35 deletions
--- a/k-tv-backend/infra/src/auth/jwt.rs
+++ b/k-tv-backend/infra/src/auth/jwt.rs
@@ -20,8 +20,10 @@ pub struct JwtConfig {
    pub issuer: Option<String>,
    /// Expected audience (for validation)
    pub audience: Option<String>,
-    /// Token expiry in hours (default: 24)
+    /// Access token expiry in hours (default: 24)
    pub expiry_hours: u64,
+    /// Refresh token expiry in days (default: 30)
+    pub refresh_expiry_days: u64,
 }

 impl JwtConfig {
@@ -33,6 +35,7 @@ impl JwtConfig {
        issuer: Option<String>,
        audience: Option<String>,
        expiry_hours: Option<u64>,
+        refresh_expiry_days: Option<u64>,
        is_production: bool,
    ) -> Result<Self, JwtError> {
        // Validate secret strength in production
@@ -48,6 +51,7 @@ impl JwtConfig {
            issuer,
            audience,
            expiry_hours: expiry_hours.unwrap_or(24),
+            refresh_expiry_days: refresh_expiry_days.unwrap_or(30),
        })
    }

@@ -58,10 +62,15 @@ impl JwtConfig {
            issuer: None,
            audience: None,
            expiry_hours: 24,
+            refresh_expiry_days: 30,
        }
    }
 }

+fn default_token_type() -> String {
+    "access".to_string()
+}
+
 /// JWT claims structure
 #[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct JwtClaims {
@@ -79,6 +88,9 @@ pub struct JwtClaims {
    /// Audience
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aud: Option<String>,
+    /// Token type: "access" or "refresh". Defaults to "access" for backward compat.
+    #[serde(default = "default_token_type")]
+    pub token_type: String,
 }

 /// JWT-related errors
@@ -141,7 +153,7 @@ impl JwtValidator {
        }
    }

-    /// Create a JWT token for the given user
+    /// Create an access JWT token for the given user
    pub fn create_token(&self, user: &User) -> Result<String, JwtError> {
        let now = SystemTime::now()
            .duration_since(UNIX_EPOCH)
@@ -157,6 +169,30 @@ impl JwtValidator {
            iat: now,
            iss: self.config.issuer.clone(),
            aud: self.config.audience.clone(),
+            token_type: "access".to_string(),
+        };
+
+        let header = Header::new(Algorithm::HS256);
+        encode(&header, &claims, &self.encoding_key).map_err(JwtError::CreationFailed)
+    }
+
+    /// Create a refresh JWT token for the given user (longer-lived)
+    pub fn create_refresh_token(&self, user: &User) -> Result<String, JwtError> {
+        let now = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .expect("Time went backwards")
+            .as_secs() as usize;
+
+        let expiry = now + (self.config.refresh_expiry_days as usize * 86400);
+
+        let claims = JwtClaims {
+            sub: user.id.to_string(),
+            email: user.email.as_ref().to_string(),
+            exp: expiry,
+            iat: now,
+            iss: self.config.issuer.clone(),
+            aud: self.config.audience.clone(),
+            token_type: "refresh".to_string(),
        };

        let header = Header::new(Algorithm::HS256);
@@ -176,6 +212,24 @@ impl JwtValidator {
        Ok(token_data.claims)
    }

+    /// Validate an access token — rejects refresh tokens
+    pub fn validate_access_token(&self, token: &str) -> Result<JwtClaims, JwtError> {
+        let claims = self.validate_token(token)?;
+        if claims.token_type != "access" {
+            return Err(JwtError::ValidationFailed("Not an access token".to_string()));
+        }
+        Ok(claims)
+    }
+
+    /// Validate a refresh token — rejects access tokens
+    pub fn validate_refresh_token(&self, token: &str) -> Result<JwtClaims, JwtError> {
+        let claims = self.validate_token(token)?;
+        if claims.token_type != "refresh" {
+            return Err(JwtError::ValidationFailed("Not a refresh token".to_string()));
+        }
+        Ok(claims)
+    }
+
    /// Get the user ID (subject) from a token without full validation
    /// Useful for logging/debugging, but should not be trusted for auth
    pub fn decode_unverified(&self, token: &str) -> Result<JwtClaims, JwtError> {