Add token type to JWT claims for access/refresh distinction

- Add TokenType enum and include in Claims struct - GenerateRefreshToken now creates tokens with TokenRefresh type - AuthRequired middleware rejects refresh tokens - AuthService.Refresh validates token type - Tests verify type validation
2026-04-29 16:55:18 +08:00
parent 712171230b
commit b4ab864f80
6 changed files with 112 additions and 4 deletions
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -8,10 +8,19 @@ import (
 	"github.com/google/uuid"
 )

-// Claims represents the JWT claims for MyGO access tokens.
+// TokenType distinguishes access tokens from refresh tokens.
+type TokenType string
+
+const (
+	TokenAccess  TokenType = "access"
+	TokenRefresh TokenType = "refresh"
+)
+
+// Claims represents the JWT claims for MyGO tokens.
 type Claims struct {
 	jwt.RegisteredClaims
-	UserID string `json:"uid"`
+	UserID string    `json:"uid"`
+	Type   TokenType `json:"type"`
 }

 // GenerateAccessToken creates a signed JWT access token for a user.
@@ -24,6 +33,7 @@ func GenerateAccessToken(userID string, secret []byte, ttl time.Duration) (strin
 			ExpiresAt: jwt.NewNumericDate(now.Add(ttl)),
 		},
 		UserID: userID,
+		Type:   TokenAccess,
 	}

 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
@@ -35,9 +45,26 @@ func GenerateAccessToken(userID string, secret []byte, ttl time.Duration) (strin
 	return signed, nil
 }

-// GenerateRefreshToken creates a signed JWT refresh token.
+// GenerateRefreshToken creates a signed JWT refresh token for a user.
 func GenerateRefreshToken(userID string, secret []byte, ttl time.Duration) (string, error) {
-	return GenerateAccessToken(userID, secret, ttl)
+	now := time.Now()
+	claims := Claims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			ID:        uuid.NewString(),
+			IssuedAt:  jwt.NewNumericDate(now),
+			ExpiresAt: jwt.NewNumericDate(now.Add(ttl)),
+		},
+		UserID: userID,
+		Type:   TokenRefresh,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	signed, err := token.SignedString(secret)
+	if err != nil {
+		return "", fmt.Errorf("sign token: %w", err)
+	}
+
+	return signed, nil
 }

 // ParseToken validates and parses a JWT token string.
--- a/internal/auth/jwt_test.go
+++ b/internal/auth/jwt_test.go
@@ -34,6 +34,9 @@ func TestParseTokenValid(t *testing.T) {
 	if claims.UserID != "user-1" {
 		t.Errorf("UserID = %q, want %q", claims.UserID, "user-1")
 	}
+	if claims.Type != TokenAccess {
+		t.Errorf("Type = %q, want %q", claims.Type, TokenAccess)
+	}
 }

 func TestParseTokenWrongSecret(t *testing.T) {
@@ -78,6 +81,17 @@ func TestGenerateRefreshToken(t *testing.T) {
 	if token == "" {
 		t.Fatal("token is empty")
 	}
+	if !strings.Contains(token, ".") {
+		t.Fatal("token does not look like a JWT")
+	}
+
+	claims, err := ParseToken(token, secret)
+	if err != nil {
+		t.Fatalf("ParseToken = %v", err)
+	}
+	if claims.Type != TokenRefresh {
+		t.Errorf("Type = %q, want %q", claims.Type, TokenRefresh)
+	}
 }

 func TestTokenUserIDCarried(t *testing.T) {
@@ -91,3 +105,21 @@ func TestTokenUserIDCarried(t *testing.T) {
 		t.Errorf("UserID = %q, want %q", claims.UserID, "alice-42")
 	}
 }
+
+func TestRefreshTokenRejectedByMiddleware(t *testing.T) {
+	secret := []byte("test-secret")
+	token, err := GenerateRefreshToken("user-1", secret, 7*24*time.Hour)
+	if err != nil {
+		t.Fatalf("GenerateRefreshToken = %v", err)
+	}
+
+	// Simulate what the middleware does: parse + check type
+	claims, err := ParseToken(token, secret)
+	if err != nil {
+		t.Fatalf("ParseToken = %v", err)
+	}
+	if claims.Type != TokenRefresh {
+		t.Fatalf("expected refresh token type, got %q", claims.Type)
+	}
+	// The actual middleware rejection is tested in middleware/auth_test.go
+}