session id check by refresh token

2025-09-10 20:19:51 +03:00 · 2025-09-10 20:19:51 +03:00 · 6d20fc3ed6
commit 6d20fc3ed6
parent a8c974994b
11 changed files with 74 additions and 103 deletions
--- a/internal/api/user/controller.go
+++ b/internal/api/user/controller.go
@ -11,16 +11,15 @@ import (
 )

 type controller struct {
-	service      *service
-	utils        interfaces.Utils
-	refreshRoute string
+	service  *service
+	utils    interfaces.Utils
+	authPath string
 }

-func newController(service *service, utils interfaces.Utils, refreshRoute string) *controller {
+func newController(service *service, utils interfaces.Utils) *controller {
 	return &controller{
-		service:      service,
-		utils:        utils,
-		refreshRoute: refreshRoute,
+		service: service,
+		utils:   utils,
 	}
 }

@ -33,9 +32,12 @@ func (h *Handler) RegisterRoutes(r *gin.RouterGroup) {
 	userGroup.DELETE("/", h.controller.delete)

 	//auth
-	userGroup.POST("/login", h.controller.login)
-	userGroup.POST("/logout", h.controller.logout)
-	userGroup.POST("/refresh", h.controller.refresh)
+	h.controller.authPath = "/user/auth"
+
+	authGroup := userGroup.Group("/auth")
+	authGroup.POST("/login", h.controller.login)
+	authGroup.POST("/logout", h.controller.logout)
+	authGroup.POST("/refresh", h.controller.refresh)
 }

 func (h *Handler) ExcludeRoutes() []shared.ExcludeRoute {
@ -187,7 +189,7 @@ func (co *controller) login(c *gin.Context) {
 		response.RefreshCookie.Name,
 		response.RefreshCookie.Value,
 		int(time.Until(response.RefreshCookie.Expires).Seconds()),
-		co.refreshRoute,
+		co.authPath,
 		"",
 		response.RefreshCookie.Secure,
 		response.RefreshCookie.HttpOnly,
@ -206,14 +208,14 @@ func (co *controller) login(c *gin.Context) {
 // @Failure		500				{object}	responses.ErrorResponse500
 // @Router			/user/logout	[post]
 func (co *controller) logout(c *gin.Context) {
-	userUuid, refreshUuid, sessionUuid, err := co.utils.GetAllTokensFromContext(c)
+	userUuid, refreshUuid, err := co.utils.GetAllTokensFromContext(c)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, responses.ErrorResponse400{Error: err.Error()})
 		log.WithError(err).Error("User | Failed to get uuids from context on refresh")
 		return
 	}

-	if err = co.service.logout(userUuid, refreshUuid, sessionUuid); err != nil {
+	if err = co.service.logout(userUuid, refreshUuid); err != nil {
 		c.JSON(http.StatusInternalServerError, responses.ErrorResponse500{Error: err.Error()})
 		log.WithError(err).Error("User | Failed to logout")
 		return
@ -232,14 +234,14 @@ func (co *controller) logout(c *gin.Context) {
 // @Router			/user/refresh	[post]
 func (co *controller) refresh(c *gin.Context) {
 	//токены будут помещены в контекст при срабатывании мидлвари авторизации
-	userUuid, refreshUuid, sessionUuid, err := co.utils.GetAllTokensFromContext(c)
+	userUuid, refreshUuid, err := co.utils.GetAllTokensFromContext(c)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, responses.ErrorResponse400{Error: err.Error()})
 		log.WithError(err).Error("User | Failed to get uuids from context on refresh")
 		return
 	}

-	response, err := co.service.refresh(userUuid, refreshUuid, sessionUuid)
+	response, err := co.service.refresh(userUuid, refreshUuid)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, responses.ErrorResponse500{Error: err.Error()})
 		log.WithError(err).Error("User | Failed to refresh user info")
--- a/internal/api/user/handler.go
+++ b/internal/api/user/handler.go
@ -12,16 +12,15 @@ type Handler struct {
 }

 type Deps struct {
-	Auth         interfaces.Auth
-	DB           *gorm.DB
-	Utils        interfaces.Utils
-	RefreshRoute string
+	Auth  interfaces.Auth
+	DB    *gorm.DB
+	Utils interfaces.Utils
 }

 func NewHandler(deps Deps) *Handler {
 	r := newRepo(deps.DB)
 	s := newService(deps.Auth, r, deps.Utils)
-	c := newController(s, deps.Utils, deps.RefreshRoute)
+	c := newController(s, deps.Utils)

 	return &Handler{
 		controller: c,
--- a/internal/api/user/service.go
+++ b/internal/api/user/service.go
@ -120,10 +120,10 @@ func (s *service) login(login Login) (shared.AuthData, error) {
 	return authData, nil
 }

-func (s *service) logout(userUuid, refreshUuid, sessionUuid string) error {
-	return s.auth.Logout(userUuid, refreshUuid, sessionUuid)
+func (s *service) logout(userUuid, refreshUuid string) error {
+	return s.auth.Logout(userUuid, refreshUuid)
 }

-func (s *service) refresh(userUuid, refreshUuid, sessionUuid string) (shared.AuthData, error) {
-	return s.auth.Refresh(userUuid, refreshUuid, sessionUuid)
+func (s *service) refresh(userUuid, refreshUuid string) (shared.AuthData, error) {
+	return s.auth.Refresh(userUuid, refreshUuid)
 }
--- a/internal/interfaces/auth.go
+++ b/internal/interfaces/auth.go
@ -4,6 +4,6 @@ import "merch-parser-api/internal/shared"

 type Auth interface {
 	Login(userUuid string) (shared.AuthData, error)
-	Logout(userUuid, refreshUuid, sessionUuid string) error
-	Refresh(userUuid, refreshUuid, sessionUuid string) (shared.AuthData, error)
+	Logout(userUuid, refreshUuid string) error
+	Refresh(userUuid, refreshUuid string) (shared.AuthData, error)
 }
--- a/internal/interfaces/utils.go
+++ b/internal/interfaces/utils.go
@ -5,7 +5,7 @@ import "github.com/gin-gonic/gin"
 type Utils interface {
 	IsEmail(email string) bool
 	GetUserUuidFromContext(c *gin.Context) (string, error)
-	GetAllTokensFromContext(c *gin.Context) (string, string, string, error)
+	GetAllTokensFromContext(c *gin.Context) (string, string, error)
 	HashPassword(password string) (string, error)
 	ComparePasswords(hashedPassword string, plainPassword string) error
 }
--- a/internal/provider/auth/repository.go
+++ b/internal/provider/auth/repository.go
@ -7,8 +7,8 @@ import (

 type Repository interface {
 	CreateRefreshToken(token *Session) error
-	ReadRefreshToken(userUuid, tokenUuid, sessionUuid string) (Session, error)
-	InvalidateRefreshToken(userUuid, refreshUuid, sessionUuid string) error
+	ReadRefreshToken(userUuid, tokenUuid string) (Session, error)
+	InvalidateRefreshToken(userUuid, refreshUuid string) error
 }

 type repo struct {
@ -23,13 +23,12 @@ func (r *repo) CreateRefreshToken(token *Session) error {
 	return r.db.Create(token).Error
 }

-func (r *repo) ReadRefreshToken(userUuid, tokenUuid, sessionUuid string) (Session, error) {
+func (r *repo) ReadRefreshToken(userUuid, tokenUuid string) (Session, error) {
 	var tokenData Session

 	if err := r.db.
 		Where("user_uuid = ?", userUuid).
 		Where("refresh_uuid = ?", tokenUuid).
-		Where("session_uuid = ?", sessionUuid).
 		Where("deleted_at IS NULL").
 		First(&tokenData).Error; err != nil {
 		return Session{}, err
@ -38,11 +37,10 @@ func (r *repo) ReadRefreshToken(userUuid, tokenUuid, sessionUuid string) (Sessio
 	return tokenData, nil
 }

-func (r *repo) InvalidateRefreshToken(userUuid, refreshUuid, sessionUuid string) error {
+func (r *repo) InvalidateRefreshToken(userUuid, refreshUuid string) error {
 	return r.db.
 		Model(&Session{}).
 		Where("user_uuid = ?", userUuid).
 		Where("refresh_uuid = ?", refreshUuid).
-		Where("session_uuid = ?", sessionUuid).
 		Update("deleted_at", time.Now().UTC()).Error
 }
--- a/internal/provider/auth/service.go
+++ b/internal/provider/auth/service.go
@ -26,10 +26,10 @@ func (s *Service) Login(userUuid string) (shared.AuthData, error) {
 	return s.newSession(userUuid)
 }

-func (s *Service) Refresh(userUuid, refreshUuid, sessionUuid string) (shared.AuthData, error) {
+func (s *Service) Refresh(userUuid, refreshUuid string) (shared.AuthData, error) {
 	var err error

-	tokenData, err := s.repo.ReadRefreshToken(userUuid, refreshUuid, sessionUuid)
+	tokenData, err := s.repo.ReadRefreshToken(userUuid, refreshUuid)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return shared.AuthData{}, errors.New("refresh token is not valid or doesn't exist")
@ -38,19 +38,20 @@ func (s *Service) Refresh(userUuid, refreshUuid, sessionUuid string) (shared.Aut
 	}

 	if time.Now().After(tokenData.Expires) {
+		_ = s.repo.InvalidateRefreshToken(userUuid, refreshUuid)
 		return shared.AuthData{}, errors.New("token expired")
 	}

-	err = s.repo.InvalidateRefreshToken(userUuid, refreshUuid, sessionUuid)
+	err = s.repo.InvalidateRefreshToken(userUuid, refreshUuid)
 	if err != nil {
 		return shared.AuthData{}, err
 	}

-	return s.updateSession(userUuid, sessionUuid)
+	return s.updateSession(userUuid, tokenData.SessionUuid)
 }

-func (s *Service) Logout(userUuid, refreshUuid, sessionUuid string) error {
-	return s.repo.InvalidateRefreshToken(userUuid, refreshUuid, sessionUuid)
+func (s *Service) Logout(userUuid, refreshUuid string) error {
+	return s.repo.InvalidateRefreshToken(userUuid, refreshUuid)
 }

 func (s *Service) newSession(userUuid string) (shared.AuthData, error) {
--- a/internal/router/handler.go
+++ b/internal/router/handler.go
@ -13,19 +13,17 @@ import (
 )

 type router struct {
-	apiPrefix         string
-	engine            *gin.Engine
-	ginMode           string
-	excludeRoutes     map[string]shared.ExcludeRoute
-	tokenProv         interfaces.JWTProvider
-	usersRefreshRoute string
+	apiPrefix     string
+	engine        *gin.Engine
+	ginMode       string
+	excludeRoutes map[string]shared.ExcludeRoute
+	tokenProv     interfaces.JWTProvider
 }

 type Deps struct {
-	ApiPrefix         string
-	GinMode           string
-	TokenProv         interfaces.JWTProvider
-	UsersRefreshRoute string
+	ApiPrefix string
+	GinMode   string
+	TokenProv interfaces.JWTProvider
 }

 func NewRouter(deps Deps) interfaces.Router {
@ -50,10 +48,9 @@ func NewRouter(deps Deps) interfaces.Router {
 	}))

 	return &router{
-		apiPrefix:         deps.ApiPrefix,
-		engine:            engine,
-		tokenProv:         deps.TokenProv,
-		usersRefreshRoute: deps.UsersRefreshRoute,
+		apiPrefix: deps.ApiPrefix,
+		engine:    engine,
+		tokenProv: deps.TokenProv,
 	}
 }

@ -69,10 +66,9 @@ func (r *router) Set() *gin.Engine {
 	r.engine.GET("/swagger/*any", ginSwagger.WrapHandler(swaggerFiles.Handler))

 	r.engine.Use(authMiddleware(mwDeps{
-		prefix:            r.apiPrefix,
-		excludeRoutes:     &r.excludeRoutes,
-		tokenProv:         r.tokenProv,
-		usersRefreshRoute: r.usersRefreshRoute,
+		prefix:        r.apiPrefix,
+		excludeRoutes: &r.excludeRoutes,
+		tokenProv:     r.tokenProv,
 	}))

 	return r.engine
--- a/internal/router/middleware.go
+++ b/internal/router/middleware.go
@ -10,10 +10,9 @@ import (
 )

 type mwDeps struct {
-	prefix            string
-	excludeRoutes     *map[string]shared.ExcludeRoute
-	tokenProv         interfaces.JWTProvider
-	usersRefreshRoute string
+	prefix        string
+	excludeRoutes *map[string]shared.ExcludeRoute
+	tokenProv     interfaces.JWTProvider
 }

 func authMiddleware(deps mwDeps) gin.HandlerFunc {
@ -24,7 +23,7 @@ func authMiddleware(deps mwDeps) gin.HandlerFunc {
 			return
 		}

-		if c.FullPath() == deps.usersRefreshRoute && c.Request.Method == "POST" {
+		if (c.FullPath() == "/user/auth/refresh" || c.FullPath() == "/user/auth/logout") && c.Request.Method == "POST" {
 			refreshUuid, err := c.Cookie("refresh_uuid")
 			if err != nil {
 				c.JSON(http.StatusUnauthorized, responses.ErrorResponse401{Error: "Refresh token is required"})
@ -48,7 +47,7 @@ func authMiddleware(deps mwDeps) gin.HandlerFunc {
 			return
 		}

-		userUuid, sessionUuid, err := deps.tokenProv.Parse(token)
+		userUuid, err := deps.tokenProv.Parse(token)
 		if err != nil {
 			c.JSON(http.StatusUnauthorized, responses.ErrorResponse401{Error: err.Error()})
 			log.WithField("msg", "error parsing jwt").Error("MW | Authorization")
@ -57,11 +56,9 @@ func authMiddleware(deps mwDeps) gin.HandlerFunc {
 		}

 		c.Set("userUuid", userUuid)
-		c.Set("sessionUuid", sessionUuid)

 		log.WithFields(log.Fields{
-			"userUuid":    userUuid,
-			"sessionUuid": sessionUuid,
+			"userUuid": userUuid,
 		}).Debug("MW | Parsed uuids")

 		if !c.IsAborted() {