feat: logout token revoke

SwanHtetAungPhyo · SwanHtetAungPhyo · commit 00f108507017 · 2025-07-07T03:52:45.000+02:00
fix: jwt static key
doc: http/authflow.md addition
refactor: utils/jwt_utils.go
diff --git a/http/authflow.md b/http/authflow.md
@@ -0,0 +1,90 @@
+# Auth API Documentation
+
+## Overview
+Authentication endpoints for user login, registration, logout, and token refresh.
+
+## Endpoints
+
+### POST /auth/login
+Login with email and password.
+
+**Request Body:**
+```json
+{
+  "email": "user@example.com",
+  "password": "password123"
+}
+```
+
+**Response:**
+```json
+{
+  "user": {
+    "id": "uuid",
+    "name": "John Doe",
+    "email": "user@example.com",
+    "role": "user",
+    "verified": true,
+    "created_at": "2024-01-01T00:00:00Z",
+    "updated_at": "2024-01-01T00:00:00Z"
+  },
+  "access_token": "jwt_token",
+  "refresh_token": "refresh_token",
+  "expires_at": "2024-01-01T01:00:00Z"
+}
+```
+
+### POST /auth/register
+Register a new user account.
+
+**Request Body:**
+```json
+{
+  "name": "John Doe",
+  "email": "user@example.com",
+  "password": "password123"
+}
+```
+
+**Response:** Same as login response (201 Created)
+
+### POST /auth/logout
+Logout user and invalidate tokens.
+
+**Headers:**
+```
+Authorization: Bearer <access_token>
+```
+
+**Request Body (optional):**
+```json
+{
+  "refresh_token": "refresh_token"
+}
+```
+
+**Response:**
+```json
+{
+  "message": "Logout successful"
+}
+```
+
+### POST /auth/refresh
+Refresh access token using refresh token.
+
+**Request Body:**
+```json
+{
+  "refresh_token": "refresh_token"
+}
+```
+
+**Response:**
+```json
+{
+  "access_token": "new_jwt_token",
+  "refresh_token": "new_refresh_token",
+  "expires_at": "2024-01-01T01:00:00Z"
+}
+```
diff --git a/http/swanhtetaungphyo.auth.http b/http/swanhtetaungphyo.auth.http
@@ -52,7 +52,8 @@ Content-Type: {{contentType}}
   "password": "password123"
 }
 
-### Login with valid credentials
+### Login with valid credentials - CAPTURE TOKENS
+
 POST {{baseUrl}}/auth/login
 Content-Type: {{contentType}}
 
@@ -61,6 +62,13 @@ Content-Type: {{contentType}}
   "password": "password123"
 }
 
+> {%
+    client.global.set("accessToken", response.body.access_token);
+    client.global.set("refreshToken", response.body.refresh_token);
+    client.global.set("userEmail", response.body.user.email);
+    client.global.set("userId", response.body.user.id);
+%}
+
 ### Login with invalid credentials (should fail)
 POST {{baseUrl}}/auth/login
 Content-Type: {{contentType}}
@@ -96,14 +104,19 @@ Content-Type: {{contentType}}
   "email": "john.doe@example.com"
 }
 
-### Refresh token (replace with actual refresh token from login response)
+### Refresh token using captured refresh token
 POST {{baseUrl}}/auth/refresh
 Content-Type: {{contentType}}
 
 {
-  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDU2NzgtOTBhYi1jZGVmLTEyMzQtNTY3ODkwYWJjZGVmIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInRva2VuX3R5cGUiOiJyZWZyZXNoIiwiaXNzIjoiY21zLXN5cyIsImV4cCI6MTY5NTEyMzQ1NiwiaWF0IjoxNjk0NTE4NjU2LCJuYmYiOjE2OTQ1MTg2NTZ9.example_signature"
+  "refresh_token": "{{refreshToken}}"
 }
 
+> {%
+    client.global.set("accessToken", response.body.access_token);
+    client.global.set("refreshToken", response.body.refresh_token);
+%}
+
 ### Refresh token with invalid token (should fail)
 POST {{baseUrl}}/auth/refresh
 Content-Type: {{contentType}}
@@ -117,29 +130,36 @@ POST {{baseUrl}}/auth/refresh
 Content-Type: {{contentType}}
 
 {
-  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDU2NzgtOTBhYi1jZGVmLTEyMzQtNTY3ODkwYWJjZGVmIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInRva2VuX3R5cGUiOiJhY2Nlc3MiLCJpc3MiOiJjbXMtc3lzIiwiZXhwIjoxNjk0NTE5NTU2LCJpYXQiOjE2OTQ1MTg2NTYsIm5iZiI6MTY5NDUxODY1Nn0.example_signature"
+  "refresh_token": "{{accessToken}}"
 }
 
 ### Logout with both access and refresh tokens
 POST {{baseUrl}}/auth/logout
 Content-Type: {{contentType}}
-Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDU2NzgtOTBhYi1jZGVmLTEyMzQtNTY3ODkwYWJjZGVmIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInRva2VuX3R5cGUiOiJhY2Nlc3MiLCJpc3MiOiJjbXMtc3lzIiwiZXhwIjoxNjk0NTE5NTU2LCJpYXQiOjE2OTQ1MTg2NTYsIm5iZiI6MTY5NDUxODY1Nn0.example_signature
+Authorization: Bearer {{accessToken}}
 
 {
-  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDU2NzgtOTBhYi1jZGVmLTEyMzQtNTY3ODkwYWJjZGVmIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInRva2VuX3R5cGUiOiJyZWZyZXNoIiwiaXNzIjoiY21zLXN5cyIsImV4cCI6MTY5NTEyMzQ1NiwiaWF0IjoxNjk0NTE4NjU2LCJuYmYiOjE2OTQ1MTg2NTZ9.example_signature"
+  "refresh_token": "{{refreshToken}}"
 }
 
+> {%
+    client.global.clear("accessToken");
+    client.global.clear("refreshToken");
+    client.global.clear("userEmail");
+    client.global.clear("userId");
+%}
+
 ### Logout with only access token (from Authorization header)
 POST {{baseUrl}}/auth/logout
 Content-Type: {{contentType}}
-Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDU2NzgtOTBhYi1jZGVmLTEyMzQtNTY3ODkwYWJjZGVmIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInRva2VuX3R5cGUiOiJhY2Nlc3MiLCJpc3MiOiJjbXMtc3lzIiwiZXhwIjoxNjk0NTE5NTU2LCJpYXQiOjE2OTQ1MTg2NTYsIm5iZiI6MTY5NDUxODY1Nn0.example_signature
+Authorization: Bearer {{accessToken}}
 
 ### Logout with only refresh token (in request body)
 POST {{baseUrl}}/auth/logout
 Content-Type: {{contentType}}
 
 {
-  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDU2NzgtOTBhYi1jZGVmLTEyMzQtNTY3ODkwYWJjZGVmIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInRva2VuX3R5cGUiOiJyZWZyZXNoIiwiaXNzIjoiY21zLXN5cyIsImV4cCI6MTY5NTEyMzQ1NiwiaWF0IjoxNjk0NTE4NjU2LCJuYmYiOjE2OTQ1MTg2NTZ9.example_signature"
+  "refresh_token": "{{refreshToken}}"
 }
 
 ### Logout without any tokens (should still succeed)
@@ -151,7 +171,7 @@ POST {{baseUrl}}/auth/refresh
 Content-Type: {{contentType}}
 
 {
-  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDU2NzgtOTBhYi1jZGVmLTEyMzQtNTY3ODkwYWJjZGVmIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInRva2VuX3R5cGUiOiJyZWZyZXNoIiwiaXNzIjoiY21zLXN5cyIsImV4cCI6MTY5NTEyMzQ1NiwiaWF0IjoxNjk0NTE4NjU2LCJuYmYiOjE2OTQ1MTg2NTZ9.example_signature"
+  "refresh_token": "{{refreshToken}}"
 }
 
 ### === WORKFLOW TEST SEQUENCE ===
@@ -163,11 +183,10 @@ Content-Type: {{contentType}}
 {
   "name": "Test User",
   "email": "test@example.com",
-  "password": "testpass123",
-  "role": "customer"
+  "password": "testpass123"
 }
 
-### 2. Login with the test user (save the tokens from response)
+### 2. Login with the test user - CAPTURE TOKENS
 POST {{baseUrl}}/auth/login
 Content-Type: {{contentType}}
 
@@ -176,35 +195,116 @@ Content-Type: {{contentType}}
   "password": "testpass123"
 }
 
+> {%
+    client.global.set("testAccessToken", response.body.access_token);
+    client.global.set("testRefreshToken", response.body.refresh_token);
+    client.global.set("testUserEmail", response.body.user.email);
+    client.global.set("testUserId", response.body.user.id);
+%}
+
 ### 3. Use the access token to access protected endpoint (if you have any)
 # GET {{baseUrl}}/protected-endpoint
-# Authorization: Bearer {{accessToken}}
+# Authorization: Bearer {{testAccessToken}}
 
 ### 4. Refresh the token using the refresh token from login
 POST {{baseUrl}}/auth/refresh
 Content-Type: {{contentType}}
 
 {
-  "refresh_token": "{{refreshToken}}"
+  "refresh_token": "{{testRefreshToken}}"
 }
 
-### 5. Logout using both tokens (copy actual tokens from previous responses)
+> {%
+    client.global.set("testAccessToken", response.body.access_token);
+    client.global.set("testRefreshToken", response.body.refresh_token);
+%}
+
+### 5. Logout using both tokens
 POST {{baseUrl}}/auth/logout
 Content-Type: {{contentType}}
-Authorization: Bearer {{accessToken}}
+Authorization: Bearer {{testAccessToken}}
 
 {
-  "refresh_token": "{{refreshToken}}"
+  "refresh_token": "{{testRefreshToken}}"
 }
 
+> {%
+    client.global.clear("testAccessToken");
+    client.global.clear("testRefreshToken");
+    client.global.clear("testUserEmail");
+    client.global.clear("testUserId");
+%}
+
 ### 6. Try to use the revoked refresh token (should fail)
 POST {{baseUrl}}/auth/refresh
 Content-Type: {{contentType}}
 
 {
-  "refresh_token": "{{refreshToken}}"
+  "refresh_token": "{{testRefreshToken}}"
+}
+
+### === AUTHENTICATED REQUESTS EXAMPLES ===
+
+### Get user profile (example protected endpoint)
+GET {{baseUrl}}/auth/profile
+Authorization: Bearer {{accessToken}}
+
+### Update user profile (example protected endpoint)
+PUT {{baseUrl}}/auth/profile
+Content-Type: {{contentType}}
+Authorization: Bearer {{accessToken}}
+
+{
+  "name": "Updated Name"
+}
+
+### === MULTIPLE USER TESTING ===
+
+### Login as Jane Smith - CAPTURE SEPARATE TOKENS
+POST {{baseUrl}}/auth/login
+Content-Type: {{contentType}}
+
+{
+  "email": "jane.smith@example.com",
+  "password": "password123"
+}
+
+> {%
+    client.global.set("janeAccessToken", response.body.access_token);
+    client.global.set("janeRefreshToken", response.body.refresh_token);
+%}
+
+### Use Jane's token for protected endpoint
+GET {{baseUrl}}/auth/profile
+Authorization: Bearer {{janeAccessToken}}
+
+### Refresh Jane's token
+POST {{baseUrl}}/auth/refresh
+Content-Type: {{contentType}}
+
+{
+  "refresh_token": "{{janeRefreshToken}}"
 }
 
+> {%
+    client.global.set("janeAccessToken", response.body.access_token);
+    client.global.set("janeRefreshToken", response.body.refresh_token);
+%}
+
+### Logout Jane
+POST {{baseUrl}}/auth/logout
+Content-Type: {{contentType}}
+Authorization: Bearer {{janeAccessToken}}
+
+{
+  "refresh_token": "{{janeRefreshToken}}"
+}
+
+> {%
+    client.global.clear("janeAccessToken");
+    client.global.clear("janeRefreshToken");
+%}
+
 ### === EDGE CASES ===
 
 ### Empty request body tests
@@ -238,4 +338,60 @@ POST {{baseUrl}}/auth/login
 {
   "email": "test@example.com",
   "password": "testpass123"
-}
+}
+
+### === TOKEN EXPIRATION TESTING ===
+
+### Wait for token to expire and test refresh
+POST {{baseUrl}}/auth/refresh
+Content-Type: {{contentType}}
+
+{
+  "refresh_token": "{{refreshToken}}"
+}
+
+> {%
+    client.global.set("accessToken", response.body.access_token);
+    client.global.set("refreshToken", response.body.refresh_token);
+%}
+
+### Test expired access token (if you have short-lived tokens)
+GET {{baseUrl}}/auth/profile
+Authorization: Bearer {{accessToken}}
+
+### === CONCURRENT LOGIN TESTING ===
+
+### Login from different device (same user)
+POST {{baseUrl}}/auth/login
+Content-Type: {{contentType}}
+
+{
+  "email": "john.doe@example.com",
+  "password": "password123"
+}
+
+> {%
+    client.global.set("device2AccessToken", response.body.access_token);
+    client.global.set("device2RefreshToken", response.body.refresh_token);
+%}
+
+### Test both tokens work
+GET {{baseUrl}}/auth/profile
+Authorization: Bearer {{accessToken}}
+
+GET {{baseUrl}}/auth/profile
+Authorization: Bearer {{device2AccessToken}}
+
+### Logout from device 2
+POST {{baseUrl}}/auth/logout
+Content-Type: {{contentType}}
+Authorization: Bearer {{device2AccessToken}}
+
+{
+  "refresh_token": "{{device2RefreshToken}}"
+}
+
+> {%
+    client.global.clear("device2AccessToken");
+    client.global.clear("device2RefreshToken");
+%}
