feat: add refresh token rotation flow

2026-04-21 15:27:04 +08:00
parent 70dbefda2b
commit 584a77e572
16 changed files with 1048 additions and 85 deletions
--- a/server-rs/crates/api-server/src/state.rs
+++ b/server-rs/crates/api-server/src/state.rs
@@ -1,6 +1,6 @@
 use std::{error::Error, fmt};

-use module_auth::{InMemoryPasswordUserStore, PasswordEntryService};
+use module_auth::{InMemoryAuthStore, PasswordEntryService, RefreshSessionService};
 use platform_auth::{
    JwtConfig, JwtError, RefreshCookieConfig, RefreshCookieError, RefreshCookieSameSite,
 };
@@ -18,6 +18,7 @@ pub struct AppState {
    refresh_cookie_config: RefreshCookieConfig,
    oss_client: Option<OssClient>,
    password_entry_service: PasswordEntryService,
+    refresh_session_service: RefreshSessionService,
 }

 #[derive(Debug)]
@@ -46,8 +47,10 @@ impl AppState {
            config.refresh_session_ttl_days,
        )?;
        let oss_client = build_oss_client(&config)?;
-        let password_entry_service =
-            PasswordEntryService::new(InMemoryPasswordUserStore::default());
+        let auth_store = InMemoryAuthStore::default();
+        let password_entry_service = PasswordEntryService::new(auth_store.clone());
+        let refresh_session_service =
+            RefreshSessionService::new(auth_store, config.refresh_session_ttl_days);

        Ok(Self {
            config,
@@ -55,6 +58,7 @@ impl AppState {
            refresh_cookie_config,
            oss_client,
            password_entry_service,
+            refresh_session_service,
        })
    }

@@ -73,6 +77,10 @@ impl AppState {
    pub fn password_entry_service(&self) -> &PasswordEntryService {
        &self.password_entry_service
    }
+
+    pub fn refresh_session_service(&self) -> &RefreshSessionService {
+        &self.refresh_session_service
+    }
 }

 impl fmt::Display for AppStateInitError {
@@ -109,8 +117,7 @@ fn build_oss_client(config: &AppConfig) -> Result<Option<OssClient>, AppStateIni
    let has_any_oss_field = config.oss_bucket.is_some()
        || config.oss_endpoint.is_some()
        || config.oss_access_key_id.is_some()
-        || config.oss_access_key_secret.is_some()
-        || config.oss_public_base_url.is_some();
+        || config.oss_access_key_secret.is_some();

    if !has_any_oss_field {
        return Ok(None);
@@ -121,7 +128,7 @@ fn build_oss_client(config: &AppConfig) -> Result<Option<OssClient>, AppStateIni
        config.oss_endpoint.clone().unwrap_or_default(),
        config.oss_access_key_id.clone().unwrap_or_default(),
        config.oss_access_key_secret.clone().unwrap_or_default(),
-        config.oss_public_base_url.clone(),
+        config.oss_read_expire_seconds,
        config.oss_post_expire_seconds,
        config.oss_post_max_size_bytes,
        config.oss_success_action_status,