social-media/backend/Modules/Identity/Handlers/RefreshToken.cs

using Hutopy.Infrastructure.Security;
using Hutopy.Modules.Identity.Configuration;
using Hutopy.Modules.Identity.Data;
using Microsoft.Extensions.Options;

namespace Hutopy.Modules.Identity.Handlers;

[PublicAPI]
public record RefreshTokenRequest(
    string RefreshToken);

[PublicAPI]
public record RefreshTokenResponse(
    string AccessToken,
    string RefreshToken);

[PublicAPI]
public class RefreshTokenHandler(
    UserManager userManager,
    IOptionsSnapshot<JwtOptions> jwtOptions)
    : Endpoint<RefreshTokenRequest, RefreshTokenResponse>
{
    public override void Configure()
    {
        AllowAnonymous();
        Post("/api/users/refresh");
        Options(o => o.WithTags("Users"));
    }

    public override async Task HandleAsync(
        RefreshTokenRequest request,
        CancellationToken ct)
    {
        // Find the user using the refresh token
        User? user = await userManager.Users
            .FirstOrDefaultAsync(u => u.RefreshToken == request.RefreshToken, ct);

        if (user == null || user.RefreshTokenExpiryTime <= DateTime.UtcNow)
        {
            await SendUnauthorizedAsync(ct);
            return;
        }

        // Generate a new refresh token if rotation is required
        if (jwtOptions.Value.RefreshTokenRequireRotation || user.RefreshToken is null)
        {
            user.RefreshToken = RefreshTokenGenerator.Next();
        }

        // Update refresh token expiry time
        user.RefreshTokenExpiryTime = DateTime.UtcNow.Add(jwtOptions.Value.RefreshTokenLifetime);
        await userManager.UpdateAsync(user);

        // Generate a new access token
        string accessToken = JwtTokenHelper.GenerateJwtToken(
            jwtOptions.Value.Lifetime,
            jwtOptions.Value.Issuer,
            jwtOptions.Value.Audience,
            jwtOptions.Value.Key,
            user.Id.ToString(),
            user.Email ?? string.Empty,
            user.Alias,
            user.Firstname ?? string.Empty,
            user.Lastname ?? string.Empty,
            user.PortraitUrl);

        await SendOkAsync(
            new RefreshTokenResponse(accessToken, user.RefreshToken),
            ct);
    }
}