app: refresh/logout use cases, update login with refresh token

crates/application/src/auth/login.rs

@@ -1,12 +1,13 @@
-use chrono::{DateTime, Utc};
+use chrono::{DateTime, Duration, Utc};
 use uuid::Uuid;
 
-use domain::{errors::DomainError, value_objects::Email};
+use domain::{errors::DomainError, models::RefreshSession, value_objects::Email};
 
 use crate::{auth::queries::LoginQuery, context::AppContext};
 
 pub struct LoginResult {
     pub token: String,
+    pub refresh_token: String,
     pub user_id: Uuid,
     pub email: String,
     pub expires_at: DateTime<Utc>,
@@ -33,8 +34,20 @@ pub async fn execute(ctx: &AppContext, query: LoginQuery) -> Result<LoginResult,
 
     let generated = ctx.services.auth.generate_token(user.id()).await?;
 
+    let refresh_token = Uuid::new_v4().to_string();
+    let refresh_expires = Utc::now() + Duration::seconds(ctx.config.refresh_ttl_seconds as i64);
+    let session = RefreshSession {
+        id: Uuid::new_v4(),
+        user_id: user.id().clone(),
+        token: refresh_token.clone(),
+        expires_at: refresh_expires,
+        created_at: Utc::now(),
+    };
+    ctx.repos.refresh_session.create(&session).await?;
+
     Ok(LoginResult {
         token: generated.token,
+        refresh_token,
         user_id: user.id().value(),
         email: user.email().value().to_string(),
         expires_at: generated.expires_at,

crates/application/src/auth/logout.rs

@@ -0,0 +1,7 @@
+use domain::errors::DomainError;
+
+use crate::context::AppContext;
+
+pub async fn execute(ctx: &AppContext, refresh_token: &str) -> Result<(), DomainError> {
+    ctx.repos.refresh_session.revoke(refresh_token).await
+}

crates/application/src/auth/mod.rs

@@ -1,5 +1,7 @@
 pub mod commands;
 pub mod login;
+pub mod logout;
 pub mod queries;
+pub mod refresh;
 pub mod register;
 pub mod register_and_login;

crates/application/src/auth/refresh.rs

@@ -0,0 +1,59 @@
+use chrono::{Duration, Utc};
+use uuid::Uuid;
+
+use domain::{errors::DomainError, models::RefreshSession};
+
+use crate::context::AppContext;
+
+pub struct RefreshResult {
+    pub token: String,
+    pub refresh_token: String,
+    pub expires_at: chrono::DateTime<Utc>,
+}
+
+pub async fn execute(
+    ctx: &AppContext,
+    old_refresh_token: &str,
+) -> Result<RefreshResult, DomainError> {
+    let session = ctx
+        .repos
+        .refresh_session
+        .get_by_token(old_refresh_token)
+        .await?
+        .ok_or_else(|| DomainError::Unauthorized("Invalid refresh token".into()))?;
+
+    if session.expires_at < Utc::now() {
+        ctx.repos
+            .refresh_session
+            .revoke(old_refresh_token)
+            .await?;
+        return Err(DomainError::Unauthorized("Refresh token expired".into()));
+    }
+
+    // Revoke old token (rotation)
+    ctx.repos
+        .refresh_session
+        .revoke(old_refresh_token)
+        .await?;
+
+    // Generate new access token
+    let generated = ctx.services.auth.generate_token(&session.user_id).await?;
+
+    // Create new refresh session
+    let new_refresh_token = Uuid::new_v4().to_string();
+    let refresh_expires = Utc::now() + Duration::seconds(ctx.config.refresh_ttl_seconds as i64);
+    let new_session = RefreshSession {
+        id: Uuid::new_v4(),
+        user_id: session.user_id,
+        token: new_refresh_token.clone(),
+        expires_at: refresh_expires,
+        created_at: Utc::now(),
+    };
+    ctx.repos.refresh_session.create(&new_session).await?;
+
+    Ok(RefreshResult {
+        token: generated.token,
+        refresh_token: new_refresh_token,
+        expires_at: generated.expires_at,
+    })
+}