feat: add refresh token rotation flow

2026-04-21 15:27:04 +08:00
parent 70dbefda2b
commit 584a77e572
16 changed files with 1048 additions and 85 deletions
--- a/server-rs/crates/api-server/src/app.rs
+++ b/server-rs/crates/api-server/src/app.rs
@@ -19,6 +19,7 @@ use crate::{
    error_middleware::normalize_error_response,
    health::health_check,
    password_entry::password_entry,
+    refresh_session::refresh_session,
    request_context::{attach_request_context, resolve_request_id},
    response_headers::propagate_request_id_header,
    state::AppState,
@@ -54,6 +55,13 @@ pub fn build_router(state: AppState) -> Router {
                require_bearer_auth,
            )),
        )
+        .route(
+            "/api/auth/refresh",
+            post(refresh_session).route_layer(middleware::from_fn_with_state(
+                state.clone(),
+                attach_refresh_session_token,
+            )),
+        )
        .route(
            "/api/assets/direct-upload-tickets",
            post(create_direct_upload_ticket),
@@ -616,4 +624,112 @@ mod tests {

        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
    }
+
+    #[tokio::test]
+    async fn refresh_session_rotates_cookie_and_returns_new_access_token() {
+        let app = build_router(AppState::new(AppConfig::default()).expect("state should build"));
+
+        let login_response = app
+            .clone()
+            .oneshot(
+                Request::builder()
+                    .method("POST")
+                    .uri("/api/auth/entry")
+                    .header("content-type", "application/json")
+                    .body(Body::from(
+                        serde_json::json!({
+                            "username": "guest_refresh",
+                            "password": "secret123"
+                        })
+                        .to_string(),
+                    ))
+                    .expect("login request should build"),
+            )
+            .await
+            .expect("login request should succeed");
+        let first_cookie = login_response
+            .headers()
+            .get("set-cookie")
+            .and_then(|value| value.to_str().ok())
+            .expect("refresh cookie should exist")
+            .to_string();
+
+        let refresh_response = app
+            .clone()
+            .oneshot(
+                Request::builder()
+                    .method("POST")
+                    .uri("/api/auth/refresh")
+                    .header("cookie", first_cookie.clone())
+                    .body(Body::empty())
+                    .expect("refresh request should build"),
+            )
+            .await
+            .expect("refresh request should succeed");
+
+        assert_eq!(refresh_response.status(), StatusCode::OK);
+        let second_cookie = refresh_response
+            .headers()
+            .get("set-cookie")
+            .and_then(|value| value.to_str().ok())
+            .expect("rotated refresh cookie should exist")
+            .to_string();
+        assert_ne!(first_cookie, second_cookie);
+
+        let refresh_body = refresh_response
+            .into_body()
+            .collect()
+            .await
+            .expect("refresh body should collect")
+            .to_bytes();
+        let refresh_payload: Value =
+            serde_json::from_slice(&refresh_body).expect("refresh payload should be json");
+        assert!(refresh_payload["token"].as_str().is_some());
+
+        let stale_refresh_response = app
+            .oneshot(
+                Request::builder()
+                    .method("POST")
+                    .uri("/api/auth/refresh")
+                    .header("cookie", first_cookie)
+                    .body(Body::empty())
+                    .expect("stale refresh request should build"),
+            )
+            .await
+            .expect("stale refresh request should succeed");
+
+        assert_eq!(stale_refresh_response.status(), StatusCode::UNAUTHORIZED);
+        assert!(
+            stale_refresh_response
+                .headers()
+                .get("set-cookie")
+                .and_then(|value| value.to_str().ok())
+                .is_some_and(|value| value.contains("Max-Age=0"))
+        );
+    }
+
+    #[tokio::test]
+    async fn refresh_session_rejects_missing_cookie_and_clears_cookie() {
+        let app = build_router(AppState::new(AppConfig::default()).expect("state should build"));
+
+        let response = app
+            .oneshot(
+                Request::builder()
+                    .method("POST")
+                    .uri("/api/auth/refresh")
+                    .body(Body::empty())
+                    .expect("request should build"),
+            )
+            .await
+            .expect("request should succeed");
+
+        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+        assert!(
+            response
+                .headers()
+                .get("set-cookie")
+                .and_then(|value| value.to_str().ok())
+                .is_some_and(|value| value.contains("Max-Age=0"))
+        );
+    }
 }