Merge branch 'feature/jwt-refresh-and-favorites-fix' into 'main'

feat: implement JWT refresh token mechanism and improve auth

See merge request foxixus/neomovies-api!1

main.go

@@ -67,6 +67,7 @@ func main() {
 	api.HandleFunc("/auth/resend-code", authHandler.ResendVerificationCode).Methods("POST")
 	api.HandleFunc("/auth/google/login", authHandler.GoogleLogin).Methods("GET")
 	api.HandleFunc("/auth/google/callback", authHandler.GoogleCallback).Methods("GET")
+	api.HandleFunc("/auth/refresh", authHandler.RefreshToken).Methods("POST")
 
 	api.HandleFunc("/search/multi", searchHandler.MultiSearch).Methods("GET")
 
@@ -120,6 +121,8 @@ func main() {
 	protected.HandleFunc("/auth/profile", authHandler.GetProfile).Methods("GET")
 	protected.HandleFunc("/auth/profile", authHandler.UpdateProfile).Methods("PUT")
 	protected.HandleFunc("/auth/profile", authHandler.DeleteAccount).Methods("DELETE")
+	protected.HandleFunc("/auth/revoke-token", authHandler.RevokeRefreshToken).Methods("POST")
+	protected.HandleFunc("/auth/revoke-all-tokens", authHandler.RevokeAllRefreshTokens).Methods("POST")
 
 	protected.HandleFunc("/reactions/{mediaType}/{mediaId}/my-reaction", reactionsHandler.GetMyReaction).Methods("GET")
 	protected.HandleFunc("/reactions/{mediaType}/{mediaId}", reactionsHandler.SetReaction).Methods("POST")

pkg/config/vars.go

@@ -15,7 +15,7 @@ const (
 	EnvRedAPIKey          = "REDAPI_KEY"
 	EnvMongoDBName        = "MONGO_DB_NAME"
 	EnvGoogleClientID     = "GOOGLE_CLIENT_ID"
-	EnvGoogleClientSecret= "GOOGLE_CLIENT_SECRET"
+	EnvGoogleClientSecret = "GOOGLE_CLIENT_SECRET"
 	EnvGoogleRedirectURL  = "GOOGLE_REDIRECT_URL"
 	EnvFrontendURL        = "FRONTEND_URL"
 	EnvVibixHost          = "VIBIX_HOST"

pkg/handlers/auth.go

@@ -3,8 +3,8 @@ package handlers
 import (
 	"encoding/json"
 	"net/http"
-	"time"
 	"strings"
+	"time"
 
 	"go.mongodb.org/mongo-driver/bson"
 
@@ -46,7 +46,14 @@ func (h *AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	response, err := h.authService.Login(req)
+	// Получаем информацию о клиенте для refresh токена
+	userAgent := r.Header.Get("User-Agent")
+	ipAddress := r.RemoteAddr
+	if forwarded := r.Header.Get("X-Forwarded-For"); forwarded != "" {
+		ipAddress = forwarded
+	}
+
+	response, err := h.authService.LoginWithTokens(req, userAgent, ipAddress)
 	if err != nil {
 		statusCode := http.StatusBadRequest
 		if err.Error() == "Account not activated. Please verify your email." {
@@ -221,5 +228,82 @@ func (h *AuthHandler) ResendVerificationCode(w http.ResponseWriter, r *http.Requ
 	json.NewEncoder(w).Encode(response)
 }
 
+// RefreshToken refreshes an access token using a refresh token
+func (h *AuthHandler) RefreshToken(w http.ResponseWriter, r *http.Request) {
+	var req models.RefreshTokenRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	// Получаем информацию о клиенте
+	userAgent := r.Header.Get("User-Agent")
+	ipAddress := r.RemoteAddr
+	if forwarded := r.Header.Get("X-Forwarded-For"); forwarded != "" {
+		ipAddress = forwarded
+	}
+
+	tokenPair, err := h.authService.RefreshAccessToken(req.RefreshToken, userAgent, ipAddress)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(models.APIResponse{
+		Success: true,
+		Data:    tokenPair,
+		Message: "Token refreshed successfully",
+	})
+}
+
+// RevokeRefreshToken revokes a specific refresh token
+func (h *AuthHandler) RevokeRefreshToken(w http.ResponseWriter, r *http.Request) {
+	userID, ok := middleware.GetUserIDFromContext(r.Context())
+	if !ok {
+		http.Error(w, "User ID not found in context", http.StatusInternalServerError)
+		return
+	}
+
+	var req models.RefreshTokenRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	err := h.authService.RevokeRefreshToken(userID, req.RefreshToken)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(models.APIResponse{
+		Success: true,
+		Message: "Refresh token revoked successfully",
+	})
+}
+
+// RevokeAllRefreshTokens revokes all refresh tokens for the current user
+func (h *AuthHandler) RevokeAllRefreshTokens(w http.ResponseWriter, r *http.Request) {
+	userID, ok := middleware.GetUserIDFromContext(r.Context())
+	if !ok {
+		http.Error(w, "User ID not found in context", http.StatusInternalServerError)
+		return
+	}
+
+	err := h.authService.RevokeAllRefreshTokens(userID)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(models.APIResponse{
+		Success: true,
+		Message: "All refresh tokens revoked successfully",
+	})
+}
+
 // helpers
 func generateState() string { return uuidNew() }

pkg/handlers/movie.go

@@ -189,8 +189,6 @@ func (h *MovieHandler) GetSimilar(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
-
-
 func (h *MovieHandler) GetExternalIDs(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id, err := strconv.Atoi(vars["id"])

pkg/handlers/players.go

@@ -10,8 +10,8 @@ import (
 	"strings"
 	"time"
 
-	"neomovies-api/pkg/config"
 	"github.com/gorilla/mux"
+	"neomovies-api/pkg/config"
 )
 
 type PlayersHandler struct {

pkg/handlers/reactions.go

@@ -85,7 +85,9 @@ func (h *ReactionsHandler) SetReaction(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var request struct{ Type string `json:"type"` }
+	var request struct {
+		Type string `json:"type"`
+	}
 	if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
 		http.Error(w, "Invalid request body", http.StatusBadRequest)
 		return

pkg/models/user.go

@@ -22,6 +22,7 @@ type User struct {
 	UpdatedAt           time.Time          `json:"updated_at" bson:"updatedAt"`
 	Provider            string             `json:"provider,omitempty" bson:"provider,omitempty"`
 	GoogleID            string             `json:"googleId,omitempty" bson:"googleId,omitempty"`
+	RefreshTokens       []RefreshToken     `json:"-" bson:"refreshTokens,omitempty"`
 }
 
 type LoginRequest struct {
@@ -37,6 +38,7 @@ type RegisterRequest struct {
 
 type AuthResponse struct {
 	Token        string `json:"token"`
+	RefreshToken string `json:"refreshToken"`
 	User         User   `json:"user"`
 }
 
@@ -48,3 +50,20 @@ type VerifyEmailRequest struct {
 type ResendCodeRequest struct {
 	Email string `json:"email" validate:"required,email"`
 }
+
+type RefreshToken struct {
+	Token     string    `json:"token" bson:"token"`
+	ExpiresAt time.Time `json:"expiresAt" bson:"expiresAt"`
+	CreatedAt time.Time `json:"createdAt" bson:"createdAt"`
+	UserAgent string    `json:"userAgent,omitempty" bson:"userAgent,omitempty"`
+	IPAddress string    `json:"ipAddress,omitempty" bson:"ipAddress,omitempty"`
+}
+
+type TokenPair struct {
+	AccessToken  string `json:"accessToken"`
+	RefreshToken string `json:"refreshToken"`
+}
+
+type RefreshTokenRequest struct {
+	RefreshToken string `json:"refreshToken" validate:"required"`
+}

pkg/services/auth.go

@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"encoding/json"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"go.mongodb.org/mongo-driver/bson"
@@ -19,7 +20,6 @@ import (
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
-	"encoding/json"
 
 	"neomovies-api/pkg/models"
 )
@@ -176,8 +176,12 @@ func (s *AuthService) HandleGoogleCallback(ctx context.Context, code string) (*m
 			"googleId":  gUser.Sub,
 			"updatedAt": time.Now(),
 		}
-		if user.Name == "" && gUser.Name != "" { update["name"] = gUser.Name }
-		if user.Avatar == "" && gUser.Picture != "" { update["avatar"] = gUser.Picture }
+		if user.Name == "" && gUser.Name != "" {
+			update["name"] = gUser.Name
+		}
+		if user.Avatar == "" && gUser.Picture != "" {
+			update["avatar"] = gUser.Picture
+		}
 		_, _ = collection.UpdateOne(ctx, bson.M{"_id": user.ID}, bson.M{"$set": update})
 	}
 
@@ -186,10 +190,16 @@ func (s *AuthService) HandleGoogleCallback(ctx context.Context, code string) (*m
 		// If we created user above, we already have user.ID set; else fetch updated
 		_ = collection.FindOne(ctx, bson.M{"email": gUser.Email}).Decode(&user)
 	}
-	token, err := s.generateJWT(user.ID.Hex())
-	if err != nil { return nil, err }
+	tokenPair, err := s.generateTokenPair(user.ID.Hex(), "", "")
+	if err != nil {
+		return nil, err
+	}
 
-	return &models.AuthResponse{ Token: token, User: user }, nil
+	return &models.AuthResponse{
+		Token:        tokenPair.AccessToken,
+		RefreshToken: tokenPair.RefreshToken,
+		User:         user,
+	}, nil
 }
 
 // generateVerificationCode creates a 6-digit verification code.
@@ -246,7 +256,7 @@ func (s *AuthService) Register(req models.RegisterRequest) (map[string]interface
 }
 
 // Login authenticates a user.
-func (s *AuthService) Login(req models.LoginRequest) (*models.AuthResponse, error) {
+func (s *AuthService) LoginWithTokens(req models.LoginRequest, userAgent, ipAddress string) (*models.AuthResponse, error) {
 	collection := s.db.Collection("users")
 
 	var user models.User
@@ -264,17 +274,23 @@ func (s *AuthService) Login(req models.LoginRequest) (*models.AuthResponse, erro
 		return nil, errors.New("Invalid password")
 	}
 
-	token, err := s.generateJWT(user.ID.Hex())
+	tokenPair, err := s.generateTokenPair(user.ID.Hex(), userAgent, ipAddress)
 	if err != nil {
 		return nil, err
 	}
 
 	return &models.AuthResponse{
-		Token: token,
+		Token:        tokenPair.AccessToken,
+		RefreshToken: tokenPair.RefreshToken,
 		User:         user,
 	}, nil
 }
 
+// Login authenticates a user (legacy method for backward compatibility).
+func (s *AuthService) Login(req models.LoginRequest) (*models.AuthResponse, error) {
+	return s.LoginWithTokens(req, "", "")
+}
+
 // GetUserByID retrieves a user by their ID.
 func (s *AuthService) GetUserByID(userID string) (*models.User, error) {
 	collection := s.db.Collection("users")
@@ -320,7 +336,7 @@ func (s *AuthService) UpdateUser(userID string, updates bson.M) (*models.User, e
 func (s *AuthService) generateJWT(userID string) (string, error) {
 	claims := jwt.MapClaims{
 		"user_id": userID,
-		"exp":     time.Now().Add(time.Hour * 24 * 7).Unix(),
+		"exp":     time.Now().Add(time.Hour * 1).Unix(), // Сократил время жизни до 1 часа
 		"iat":     time.Now().Unix(),
 		"jti":     uuid.New().String(),
 	}
@@ -329,6 +345,158 @@ func (s *AuthService) generateJWT(userID string) (string, error) {
 	return token.SignedString([]byte(s.jwtSecret))
 }
 
+// generateRefreshToken generates a new refresh token
+func (s *AuthService) generateRefreshToken() string {
+	return uuid.New().String()
+}
+
+// generateTokenPair generates both access and refresh tokens
+func (s *AuthService) generateTokenPair(userID, userAgent, ipAddress string) (*models.TokenPair, error) {
+	accessToken, err := s.generateJWT(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	refreshToken := s.generateRefreshToken()
+
+	// Сохраняем refresh token в базе данных
+	collection := s.db.Collection("users")
+	objectID, err := primitive.ObjectIDFromHex(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	refreshTokenDoc := models.RefreshToken{
+		Token:     refreshToken,
+		ExpiresAt: time.Now().Add(time.Hour * 24 * 30), // 30 дней
+		CreatedAt: time.Now(),
+		UserAgent: userAgent,
+		IPAddress: ipAddress,
+	}
+
+	// Удаляем старые истекшие токены и добавляем новый
+	_, err = collection.UpdateOne(
+		context.Background(),
+		bson.M{"_id": objectID},
+		bson.M{
+			"$pull": bson.M{
+				"refreshTokens": bson.M{
+					"expiresAt": bson.M{"$lt": time.Now()},
+				},
+			},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = collection.UpdateOne(
+		context.Background(),
+		bson.M{"_id": objectID},
+		bson.M{
+			"$push": bson.M{
+				"refreshTokens": refreshTokenDoc,
+			},
+			"$set": bson.M{
+				"updatedAt": time.Now(),
+			},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return &models.TokenPair{
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+	}, nil
+}
+
+// RefreshAccessToken refreshes an access token using a refresh token
+func (s *AuthService) RefreshAccessToken(refreshToken, userAgent, ipAddress string) (*models.TokenPair, error) {
+	collection := s.db.Collection("users")
+
+	// Найти пользователя с данным refresh токеном
+	var user models.User
+	err := collection.FindOne(
+		context.Background(),
+		bson.M{
+			"refreshTokens": bson.M{
+				"$elemMatch": bson.M{
+					"token":     refreshToken,
+					"expiresAt": bson.M{"$gt": time.Now()},
+				},
+			},
+		},
+	).Decode(&user)
+
+	if err != nil {
+		return nil, errors.New("invalid or expired refresh token")
+	}
+
+	// Удалить использованный refresh token
+	_, err = collection.UpdateOne(
+		context.Background(),
+		bson.M{"_id": user.ID},
+		bson.M{
+			"$pull": bson.M{
+				"refreshTokens": bson.M{
+					"token": refreshToken,
+				},
+			},
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	// Создать новую пару токенов
+	return s.generateTokenPair(user.ID.Hex(), userAgent, ipAddress)
+}
+
+// RevokeRefreshToken revokes a specific refresh token
+func (s *AuthService) RevokeRefreshToken(userID, refreshToken string) error {
+	collection := s.db.Collection("users")
+	objectID, err := primitive.ObjectIDFromHex(userID)
+	if err != nil {
+		return err
+	}
+
+	_, err = collection.UpdateOne(
+		context.Background(),
+		bson.M{"_id": objectID},
+		bson.M{
+			"$pull": bson.M{
+				"refreshTokens": bson.M{
+					"token": refreshToken,
+				},
+			},
+		},
+	)
+	return err
+}
+
+// RevokeAllRefreshTokens revokes all refresh tokens for a user
+func (s *AuthService) RevokeAllRefreshTokens(userID string) error {
+	collection := s.db.Collection("users")
+	objectID, err := primitive.ObjectIDFromHex(userID)
+	if err != nil {
+		return err
+	}
+
+	_, err = collection.UpdateOne(
+		context.Background(),
+		bson.M{"_id": objectID},
+		bson.M{
+			"$set": bson.M{
+				"refreshTokens": []models.RefreshToken{},
+				"updatedAt":     time.Now(),
+			},
+		},
+	)
+	return err
+}
+
 // VerifyEmail verifies a user's email with a code.
 func (s *AuthService) VerifyEmail(req models.VerifyEmailRequest) (map[string]interface{}, error) {
 	collection := s.db.Collection("users")

pkg/services/movie.go

@@ -48,8 +48,6 @@ func (s *MovieService) GetSimilar(id, page int, language string) (*models.TMDBRe
 	return s.tmdb.GetSimilarMovies(id, page, language)
 }
 
-
-
 func (s *MovieService) GetExternalIDs(id int) (*models.ExternalIDs, error) {
 	return s.tmdb.GetMovieExternalIDs(id)
 }

pkg/services/reactions.go

@@ -83,7 +83,9 @@ func (s *ReactionsService) GetMyReaction(userID, mediaType, mediaID string) (str
 	collection := s.db.Collection("reactions")
 	ctx := context.Background()
 
-	var result struct{ Type string `bson:"type"` }
+	var result struct {
+		Type string `bson:"type"`
+	}
 	err := collection.FindOne(ctx, bson.M{
 		"userId":    userID,
 		"mediaType": mediaType,

pkg/services/torrent.go

@@ -207,7 +207,6 @@ func (s *TorrentService) SearchTorrentsByIMDbID(tmdbService *TMDBService, imdbID
 	return response, nil
 }
 
-
 // SearchMovies - поиск фильмов с дополнительной фильтрацией
 func (s *TorrentService) SearchMovies(title, originalTitle, year string) (*models.TorrentSearchResponse, error) {
 	params := map[string]string{