fix: Generate a new refresh token if an instance domain was changed (#4657)

After migrating an instance from one domain to another (e.g.,
alice.mycozy.cloud → alice.twake.app), sharings between migrated and
non-migrated instances can break.
When the migration is done by:
1. Changing the instance's Domain attribute
2. Setting OldDomain to the previous domain value
The OAuth tokens behave as follows:
- Refresh token: Still has iss: "alice.mycozy.cloud" (old domain)
- Access token: After refresh, has iss: "alice.twake.app" (new domain)

However, after a successful refresh:
1. A new access token is generated with the current domain as issuer ✅
  2. The refresh token is NOT regenerated ❌

This means the client continues using the old refresh token. While this
works as long as OldDomain is set, it's fragile, and the refresh token
should be updated to use the current domain.

Author: shepilov

model/oauth/client_test.go

@@ -276,6 +276,29 @@ func TestClient(t *testing.T) {
 		assert.False(t, ok, "The token should be invalid")
 	})
 
+	t.Run("ParseJWTValidWithOldDomain", func(t *testing.T) {
+		// Simulate a migrated instance where the domain changed but OldDomain is set
+		originalDomain := testInstance.Domain
+
+		// Create a refresh token with the current domain as issuer
+		tokenString, err := c.CreateJWT(testInstance, "refresh", "foo:read")
+		assert.NoError(t, err)
+
+		// Simulate migration: change Domain and set OldDomain to the original
+		testInstance.Domain = "new.example.com"
+		testInstance.OldDomain = originalDomain
+
+		// The token should still be valid because OldDomain matches the issuer
+		claims, ok := c.ValidToken(testInstance, consts.RefreshTokenAudience, tokenString)
+		assert.True(t, ok, "The token should be valid when OldDomain matches the issuer")
+		assert.Equal(t, originalDomain, claims.Issuer)
+		assert.Equal(t, "foo:read", claims.Scope)
+
+		// Restore the instance
+		testInstance.Domain = originalDomain
+		testInstance.OldDomain = ""
+	})
+
 	t.Run("ParseJWTInvalidSubject", func(t *testing.T) {
 		other := &oauth.Client{
 			CouchID: "my-other-client",

model/sharing/member.go

@@ -673,6 +673,11 @@ func (c *Credentials) Refresh(inst *instance.Instance, s *Sharing, m *Member) er
 		return err
 	}
 	c.AccessToken.AccessToken = token.AccessToken
+	// Also update the refresh token if a new one is provided (e.g., when the
+	// instance domain has changed and a new refresh token is issued)
+	if token.RefreshToken != "" {
+		c.AccessToken.RefreshToken = token.RefreshToken
+	}
 	if err = couchdb.UpdateDoc(inst, s); err != nil && !couchdb.IsConflictError(err) {
 		return err
 	}

web/auth/auth_test.go

@@ -1283,6 +1283,66 @@ func TestAuth(t *testing.T) {
 		assertValidToken(t, testInstance, obj.Value("access_token").String().Raw(), "access", clientID, "files:read")
 	})
 
+	t.Run("RefreshTokenWithOldDomainIssuer", func(t *testing.T) {
+		// This test simulates the scenario where an instance has been migrated
+		// from an old domain to a new domain. The refresh token was issued with
+		// the old domain as issuer, but the instance now has OldDomain set.
+		// After refresh, a new refresh token should be issued with the current domain.
+
+		e := testutils.CreateTestClient(t, ts.URL)
+
+		// Set OldDomain on the instance to simulate migration
+		oldDomain := "old." + domain
+		testInstance.OldDomain = oldDomain
+		require.NoError(t, instance.Update(testInstance))
+
+		// Reload the instance to get the updated version
+		var err error
+		testInstance, err = lifecycle.GetInstance(testInstance.Domain)
+		require.NoError(t, err)
+
+		// Create a refresh token with the OLD domain as issuer
+		// (simulating a token created before migration)
+		oldDomainToken, err := crypto.NewJWT(testInstance.OAuthSecret, permission.Claims{
+			RegisteredClaims: jwt.RegisteredClaims{
+				Audience: jwt.ClaimStrings{consts.RefreshTokenAudience},
+				Issuer:   oldDomain, // OLD domain as issuer
+				IssuedAt: jwt.NewNumericDate(time.Now()),
+				Subject:  clientID,
+			},
+			Scope: "files:read",
+		})
+		require.NoError(t, err)
+
+		// Refresh should succeed and return a NEW refresh token with current domain
+		obj := e.POST("/auth/access_token").
+			WithFormField("grant_type", "refresh_token").
+			WithFormField("client_id", clientID).
+			WithFormField("client_secret", clientSecret).
+			WithFormField("refresh_token", oldDomainToken).
+			WithHost(domain).
+			Expect().Status(200).
+			JSON().Object()
+
+		obj.HasValue("token_type", "bearer")
+		obj.HasValue("scope", "files:read")
+
+		// Verify the access token is valid
+		assertValidToken(t, testInstance, obj.Value("access_token").String().Raw(), "access", clientID, "files:read")
+
+		// A new refresh token should be returned with the current domain as issuer
+		newRefreshToken := obj.Value("refresh_token").String().NotEmpty().Raw()
+		assertValidToken(t, testInstance, newRefreshToken, "refresh", clientID, "files:read")
+
+		// Verify the new refresh token has the current domain as issuer
+		var newClaims permission.Claims
+		err = crypto.ParseJWT(newRefreshToken, func(token *jwt.Token) (interface{}, error) {
+			return testInstance.OAuthSecret, nil
+		}, &newClaims)
+		require.NoError(t, err)
+		assert.Equal(t, domain, newClaims.Issuer, "New refresh token should have current domain as issuer")
+	})
+
 	t.Run("OAuthWithPKCE", func(t *testing.T) {
 		e := testutils.CreateTestClient(t, ts.URL)
 

web/auth/oauth.go

@@ -988,6 +988,13 @@ func accessToken(c echo.Context) error {
 			out.Scope = claims.Scope
 		}
 
+		// If the refresh token was issued by the old domain (validated via
+		// OldDomain), generate a new refresh token with the current domain
+		// so that future refreshes work without depending on OldDomain.
+		if claims.Issuer != instance.Domain && out.Refresh == "" {
+			out.Refresh, _ = client.CreateJWT(instance, consts.RefreshTokenAudience, out.Scope)
+		}
+
 	default:
 		return c.JSON(http.StatusBadRequest, echo.Map{
 			"error": "invalid grant type",