auth/internal/api/token_refresh.go at c230d8a22dfcb2e9503183cfabf0de04d94c839a · supabase/auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package api

import (
	"context"
	"net/http"
	"regexp"

	"github.com/supabase/auth/internal/api/apierrors"
	"github.com/supabase/auth/internal/crypto"
	"github.com/supabase/auth/internal/tokens"
)

// RefreshTokenGrantParams are the parameters the RefreshTokenGrant method accepts
type RefreshTokenGrantParams struct {
	RefreshToken string `json:"refresh_token"`
}

var legacyRefreshTokenPattern = regexp.MustCompile("^[a-z0-9]{12}$")

func (p *RefreshTokenGrantParams) Validate() error {
	if len(p.RefreshToken) < 12 {
		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Refresh token is not valid")
	}

	if len(p.RefreshToken) == 12 {
		if !legacyRefreshTokenPattern.MatchString(p.RefreshToken) {
			return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Refresh token is not valid")
		}

		return nil
	}

	_, err := crypto.ParseRefreshToken(p.RefreshToken)
	if err != nil {
		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "Refresh token is not valid").WithInternalError(err)
	}

	return nil
}

// RefreshTokenGrant implements the refresh_token grant type flow
func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
	params := &RefreshTokenGrantParams{}
	if err := retrieveRequestParams(r, params); err != nil {
		return err
	}

	if err := params.Validate(); err != nil {
		return err
	}

	db := a.db.WithContext(ctx)
	tokenResponse, err := a.tokenService.RefreshTokenGrant(ctx, db, r, w.Header(), tokens.RefreshTokenGrantParams{
		RefreshToken: params.RefreshToken,
	})
	if err != nil {
		return err
	}

	return sendJSON(w, http.StatusOK, tokenResponse)
}