using Hutopy.Infrastructure.Security; using Hutopy.Modules.Identity.Configuration; using Hutopy.Modules.Identity.Data; using Microsoft.Extensions.Options; namespace Hutopy.Modules.Identity.Handlers; [PublicAPI] public record RefreshTokenRequest( string RefreshToken); [PublicAPI] public record RefreshTokenResponse( string AccessToken, string RefreshToken); [PublicAPI] public class RefreshTokenHandler( UserManager userManager, IOptionsSnapshot jwtOptions) : Endpoint { public override void Configure() { AllowAnonymous(); Post("/api/users/refresh"); Options(o => o.WithTags("Users")); } public override async Task HandleAsync( RefreshTokenRequest request, CancellationToken ct) { // Find the user using the refresh token User? user = await userManager.Users .FirstOrDefaultAsync(u => u.RefreshToken == request.RefreshToken, ct); if (user == null || user.RefreshTokenExpiryTime <= DateTime.UtcNow) { await SendUnauthorizedAsync(ct); return; } // Generate a new refresh token if rotation is required if (jwtOptions.Value.RefreshTokenRequireRotation || user.RefreshToken is null) { user.RefreshToken = RefreshTokenGenerator.Next(); } // Update refresh token expiry time user.RefreshTokenExpiryTime = DateTime.UtcNow.Add(jwtOptions.Value.RefreshTokenLifetime); await userManager.UpdateAsync(user); // Generate a new access token string accessToken = JwtTokenHelper.GenerateJwtToken( jwtOptions.Value.Lifetime, jwtOptions.Value.Issuer, jwtOptions.Value.Audience, jwtOptions.Value.Key, user.Id.ToString(), user.Email ?? string.Empty, user.Alias, user.Firstname ?? string.Empty, user.Lastname ?? string.Empty, user.PortraitUrl); await SendOkAsync( new RefreshTokenResponse(accessToken, user.RefreshToken), ct); } }