Merge pull request #6 from poyrazK/feat/identity-token-session-core

feat(identity): implement token rotation and session controls

Author: poyrazK

services/java/identity-service/pom.xml

@@ -40,6 +40,28 @@
             <artifactId>postgresql</artifactId>
             <scope>runtime</scope>
         </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+            <version>0.12.6</version>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+            <version>0.12.6</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+            <version>0.12.6</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-configuration-processor</artifactId>
+            <optional>true</optional>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>

services/java/identity-service/src/main/java/com/cloudmedia/identity/IdentityServiceApplication.java

@@ -1,12 +1,15 @@
 package com.cloudmedia.identity;
 
+import com.cloudmedia.identity.auth.config.AuthProperties;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 @SpringBootApplication
+@EnableConfigurationProperties(AuthProperties.class)
 public class IdentityServiceApplication {
 	public static void main(String[] args) {
 		SpringApplication.run(IdentityServiceApplication.class, args);

services/java/identity-service/src/main/java/com/cloudmedia/identity/api/AuthController.java

@@ -1,5 +1,7 @@
 package com.cloudmedia.identity.api;
 
+import com.cloudmedia.identity.auth.config.AuthProperties;
+import com.cloudmedia.identity.auth.service.AuthRefreshUseCase;
 import com.cloudmedia.identity.api.dto.AuthTokensResponse;
 import com.cloudmedia.identity.api.dto.LoginRequest;
 import com.cloudmedia.identity.api.dto.LogoutRequest;
@@ -23,6 +25,14 @@
 @RequestMapping("/v1/auth")
 public class AuthController {
 
+	private final AuthRefreshUseCase authRefreshService;
+	private final AuthProperties authProperties;
+
+	public AuthController(AuthRefreshUseCase authRefreshService, AuthProperties authProperties) {
+		this.authRefreshService = authRefreshService;
+		this.authProperties = authProperties;
+	}
+
 	@PostMapping("/login")
 	public ResponseEntity<ApiSuccessResponse<AuthTokensResponse>> login(@Valid @RequestBody LoginRequest request,
 			@RequestHeader(value = "X-Request-Id", required = false) String requestId) {
@@ -41,8 +51,11 @@ public ResponseEntity<ApiSuccessResponse<AuthTokensResponse>> socialLogin(
 	@PostMapping("/refresh")
 	public ResponseEntity<ApiSuccessResponse<AuthTokensResponse>> refresh(@Valid @RequestBody RefreshRequest request,
 			@RequestHeader(value = "X-Request-Id", required = false) String requestId) {
-		throw new ApiException(HttpStatus.NOT_IMPLEMENTED, "AUTH_NOT_IMPLEMENTED",
-				"Refresh flow is not implemented yet", meta(requestId));
+		var result = authRefreshService.rotateRefreshToken(request.refreshToken());
+		AuthTokensResponse response = new AuthTokensResponse(result.accessToken(), result.refreshToken(),
+				result.sessionId(), authProperties.getAccessTokenTtl().toSeconds(),
+				authProperties.getRefreshTokenTtl().toSeconds());
+		return ResponseEntity.ok(new ApiSuccessResponse<>(response, meta(requestId)));
 	}
 
 	@PostMapping("/logout")

services/java/identity-service/src/main/java/com/cloudmedia/identity/auth/config/AuthProperties.java

@@ -0,0 +1,58 @@
+package com.cloudmedia.identity.auth.config;
+
+import java.time.Duration;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@ConfigurationProperties(prefix = "auth")
+public class AuthProperties {
+
+	private String jwtIssuer = "cloudmedia-identity";
+
+	private String jwtSecret = "change-me-in-production-change-me-in-production";
+
+	private Duration accessTokenTtl = Duration.ofMinutes(15);
+
+	private Duration refreshTokenTtl = Duration.ofDays(30);
+
+	private int maxActiveSessions = 5;
+
+	public String getJwtIssuer() {
+		return jwtIssuer;
+	}
+
+	public void setJwtIssuer(String jwtIssuer) {
+		this.jwtIssuer = jwtIssuer;
+	}
+
+	public String getJwtSecret() {
+		return jwtSecret;
+	}
+
+	public void setJwtSecret(String jwtSecret) {
+		this.jwtSecret = jwtSecret;
+	}
+
+	public Duration getAccessTokenTtl() {
+		return accessTokenTtl;
+	}
+
+	public void setAccessTokenTtl(Duration accessTokenTtl) {
+		this.accessTokenTtl = accessTokenTtl;
+	}
+
+	public Duration getRefreshTokenTtl() {
+		return refreshTokenTtl;
+	}
+
+	public void setRefreshTokenTtl(Duration refreshTokenTtl) {
+		this.refreshTokenTtl = refreshTokenTtl;
+	}
+
+	public int getMaxActiveSessions() {
+		return maxActiveSessions;
+	}
+
+	public void setMaxActiveSessions(int maxActiveSessions) {
+		this.maxActiveSessions = maxActiveSessions;
+	}
+}

services/java/identity-service/src/main/java/com/cloudmedia/identity/auth/service/AuthRefreshService.java

@@ -0,0 +1,96 @@
+package com.cloudmedia.identity.auth.service;
+
+import com.cloudmedia.identity.auth.config.AuthProperties;
+import com.cloudmedia.identity.auth.token.JwtAccessTokenService;
+import com.cloudmedia.identity.auth.token.RefreshTokenGenerator;
+import com.cloudmedia.identity.auth.token.RefreshTokenHasher;
+import com.cloudmedia.identity.error.ApiException;
+import com.cloudmedia.identity.persistence.entity.RefreshTokenEntity;
+import com.cloudmedia.identity.persistence.entity.SessionEntity;
+import com.cloudmedia.identity.persistence.repository.RefreshTokenRepository;
+import java.time.Instant;
+import java.time.LocalDateTime;
+import java.time.ZoneOffset;
+import java.util.List;
+import java.util.UUID;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+public class AuthRefreshService implements AuthRefreshUseCase {
+
+	private final AuthProperties authProperties;
+	private final JwtAccessTokenService jwtAccessTokenService;
+	private final RefreshTokenGenerator refreshTokenGenerator;
+	private final RefreshTokenHasher refreshTokenHasher;
+	private final RefreshTokenRepository refreshTokenRepository;
+	private final SessionLifecycleService sessionLifecycleService;
+
+	public AuthRefreshService(AuthProperties authProperties, JwtAccessTokenService jwtAccessTokenService,
+			RefreshTokenGenerator refreshTokenGenerator, RefreshTokenHasher refreshTokenHasher,
+			RefreshTokenRepository refreshTokenRepository, SessionLifecycleService sessionLifecycleService) {
+		this.authProperties = authProperties;
+		this.jwtAccessTokenService = jwtAccessTokenService;
+		this.refreshTokenGenerator = refreshTokenGenerator;
+		this.refreshTokenHasher = refreshTokenHasher;
+		this.refreshTokenRepository = refreshTokenRepository;
+		this.sessionLifecycleService = sessionLifecycleService;
+	}
+
+	@Override
+	@Transactional
+	public RefreshResult rotateRefreshToken(String rawRefreshToken) {
+		LocalDateTime now = LocalDateTime.now(ZoneOffset.UTC);
+		String tokenHash = refreshTokenHasher.hash(rawRefreshToken);
+
+		RefreshTokenEntity currentToken = refreshTokenRepository.findByTokenHash(tokenHash)
+				.orElseThrow(() -> unauthorized("REFRESH_TOKEN_INVALID", "Refresh token is invalid"));
+
+		if (currentToken.getRevokedAt() != null) {
+			handleReuseDetection(currentToken, now);
+			throw unauthorized("REFRESH_TOKEN_REUSED", "Refresh token reuse detected");
+		}
+
+		SessionEntity session = currentToken.getSession();
+		if (session.getRevokedAt() != null || currentToken.getExpiresAt().isBefore(now)
+				|| session.getExpiresAt().isBefore(now)) {
+			throw unauthorized("REFRESH_TOKEN_EXPIRED", "Refresh token is expired or revoked");
+		}
+
+		String newRawRefreshToken = refreshTokenGenerator.generate();
+		RefreshTokenEntity newToken = new RefreshTokenEntity();
+		newToken.setId(UUID.randomUUID().toString());
+		newToken.setSession(session);
+		newToken.setTokenHash(refreshTokenHasher.hash(newRawRefreshToken));
+		newToken.setFamilyId(currentToken.getFamilyId());
+		newToken.setParentToken(currentToken);
+		newToken.setIssuedAt(now);
+		newToken.setExpiresAt(now.plus(authProperties.getRefreshTokenTtl()));
+
+		RefreshTokenEntity persistedNewToken = refreshTokenRepository.save(newToken);
+
+		currentToken.setRevokedAt(now);
+		currentToken.setReplacedBy(persistedNewToken);
+		refreshTokenRepository.save(currentToken);
+
+		String accessToken = jwtAccessTokenService.issueAccessToken(session.getUser().getId(), session.getId(),
+				Instant.now());
+		return new RefreshResult(accessToken, newRawRefreshToken, session.getId());
+	}
+
+	private void handleReuseDetection(RefreshTokenEntity currentToken, LocalDateTime now) {
+		List<RefreshTokenEntity> activeFamilyTokens = refreshTokenRepository
+				.findByFamilyIdAndRevokedAtIsNull(currentToken.getFamilyId());
+		for (RefreshTokenEntity token : activeFamilyTokens) {
+			token.setRevokedAt(now);
+		}
+		refreshTokenRepository.saveAll(activeFamilyTokens);
+
+		sessionLifecycleService.revokeSessionAndActiveTokens(currentToken.getSession(), now);
+	}
+
+	private ApiException unauthorized(String code, String message) {
+		return new ApiException(HttpStatus.UNAUTHORIZED, code, message, null);
+	}
+}

services/java/identity-service/src/main/java/com/cloudmedia/identity/auth/service/AuthRefreshUseCase.java

@@ -0,0 +1,5 @@
+package com.cloudmedia.identity.auth.service;
+
+public interface AuthRefreshUseCase {
+	RefreshResult rotateRefreshToken(String rawRefreshToken);
+}

services/java/identity-service/src/main/java/com/cloudmedia/identity/auth/service/AuthTokenIssueService.java

@@ -0,0 +1,55 @@
+package com.cloudmedia.identity.auth.service;
+
+import com.cloudmedia.identity.auth.config.AuthProperties;
+import com.cloudmedia.identity.auth.token.JwtAccessTokenService;
+import com.cloudmedia.identity.auth.token.RefreshTokenGenerator;
+import com.cloudmedia.identity.auth.token.RefreshTokenHasher;
+import com.cloudmedia.identity.persistence.entity.RefreshTokenEntity;
+import com.cloudmedia.identity.persistence.entity.SessionEntity;
+import com.cloudmedia.identity.persistence.repository.RefreshTokenRepository;
+import java.time.Instant;
+import java.time.LocalDateTime;
+import java.time.ZoneOffset;
+import java.util.UUID;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+public class AuthTokenIssueService {
+
+	private final AuthProperties authProperties;
+	private final JwtAccessTokenService jwtAccessTokenService;
+	private final RefreshTokenGenerator refreshTokenGenerator;
+	private final RefreshTokenHasher refreshTokenHasher;
+	private final RefreshTokenRepository refreshTokenRepository;
+
+	public AuthTokenIssueService(AuthProperties authProperties, JwtAccessTokenService jwtAccessTokenService,
+			RefreshTokenGenerator refreshTokenGenerator, RefreshTokenHasher refreshTokenHasher,
+			RefreshTokenRepository refreshTokenRepository) {
+		this.authProperties = authProperties;
+		this.jwtAccessTokenService = jwtAccessTokenService;
+		this.refreshTokenGenerator = refreshTokenGenerator;
+		this.refreshTokenHasher = refreshTokenHasher;
+		this.refreshTokenRepository = refreshTokenRepository;
+	}
+
+	@Transactional
+	public RefreshResult issueForSession(SessionEntity session) {
+		LocalDateTime now = LocalDateTime.now(ZoneOffset.UTC);
+		String rawRefreshToken = refreshTokenGenerator.generate();
+
+		RefreshTokenEntity refreshToken = new RefreshTokenEntity();
+		refreshToken.setId(UUID.randomUUID().toString());
+		refreshToken.setSession(session);
+		refreshToken.setTokenHash(refreshTokenHasher.hash(rawRefreshToken));
+		refreshToken.setFamilyId(refreshToken.getId());
+		refreshToken.setIssuedAt(now);
+		refreshToken.setExpiresAt(now.plus(authProperties.getRefreshTokenTtl()));
+
+		refreshTokenRepository.save(refreshToken);
+
+		String accessToken = jwtAccessTokenService.issueAccessToken(session.getUser().getId(), session.getId(),
+				Instant.now());
+		return new RefreshResult(accessToken, rawRefreshToken, session.getId());
+	}
+}

services/java/identity-service/src/main/java/com/cloudmedia/identity/auth/service/RefreshResult.java

@@ -0,0 +1,4 @@
+package com.cloudmedia.identity.auth.service;
+
+public record RefreshResult(String accessToken, String refreshToken, String sessionId) {
+}

services/java/identity-service/src/main/java/com/cloudmedia/identity/auth/service/SessionLifecycleService.java

@@ -0,0 +1,47 @@
+package com.cloudmedia.identity.auth.service;
+
+import com.cloudmedia.identity.persistence.entity.RefreshTokenEntity;
+import com.cloudmedia.identity.persistence.entity.SessionEntity;
+import com.cloudmedia.identity.persistence.repository.RefreshTokenRepository;
+import com.cloudmedia.identity.persistence.repository.SessionRepository;
+import java.time.LocalDateTime;
+import java.util.List;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+@Service
+public class SessionLifecycleService {
+
+	private final SessionRepository sessionRepository;
+	private final RefreshTokenRepository refreshTokenRepository;
+
+	public SessionLifecycleService(SessionRepository sessionRepository, RefreshTokenRepository refreshTokenRepository) {
+		this.sessionRepository = sessionRepository;
+		this.refreshTokenRepository = refreshTokenRepository;
+	}
+
+	@Transactional
+	public void enforceSessionCap(String userId, int maxActiveSessions, LocalDateTime now) {
+		List<SessionEntity> activeSessions = sessionRepository
+				.findByUser_IdAndRevokedAtIsNullOrderByCreatedAtAsc(userId);
+		if (activeSessions.size() < maxActiveSessions) {
+			return;
+		}
+
+		SessionEntity oldestSession = activeSessions.get(0);
+		revokeSessionAndActiveTokens(oldestSession, now);
+	}
+
+	@Transactional
+	public void revokeSessionAndActiveTokens(SessionEntity session, LocalDateTime now) {
+		session.setRevokedAt(now);
+		sessionRepository.save(session);
+
+		List<RefreshTokenEntity> activeTokens = refreshTokenRepository
+				.findBySession_IdAndRevokedAtIsNull(session.getId());
+		for (RefreshTokenEntity token : activeTokens) {
+			token.setRevokedAt(now);
+		}
+		refreshTokenRepository.saveAll(activeTokens);
+	}
+}

services/java/identity-service/src/main/java/com/cloudmedia/identity/auth/token/JwtAccessTokenService.java

@@ -0,0 +1,31 @@
+package com.cloudmedia.identity.auth.token;
+
+import com.cloudmedia.identity.auth.config.AuthProperties;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.security.Keys;
+import java.nio.charset.StandardCharsets;
+import java.time.Instant;
+import java.util.Date;
+import javax.crypto.SecretKey;
+import org.springframework.stereotype.Component;
+
+@Component
+public class JwtAccessTokenService {
+
+	private final AuthProperties authProperties;
+
+	public JwtAccessTokenService(AuthProperties authProperties) {
+		this.authProperties = authProperties;
+	}
+
+	public String issueAccessToken(String userId, String sessionId, Instant now) {
+		Instant expiresAt = now.plus(authProperties.getAccessTokenTtl());
+
+		return Jwts.builder().subject(userId).issuer(authProperties.getJwtIssuer()).issuedAt(Date.from(now))
+				.expiration(Date.from(expiresAt)).claim("sid", sessionId).signWith(secretKey()).compact();
+	}
+
+	private SecretKey secretKey() {
+		return Keys.hmacShaKeyFor(authProperties.getJwtSecret().getBytes(StandardCharsets.UTF_8));
+	}
+}