go-quasar-partial-ssr/backend/internal/auth/service.go

package auth

import (
	"errors"
	"time"

	"github.com/gofiber/fiber/v3"
	"github.com/golang-jwt/jwt/v5"
)

type AuthService struct {
	cfg           Config
	secret        []byte
	accessExpiry  time.Duration
	refreshExpiry time.Duration
}

const (
	tokenTypeAccess  = "access"
	tokenTypeRefresh = "refresh"
)

func NewAuthService(cfg Config) (*AuthService, error) {
	if cfg.Secret == "" {
		return nil, errors.New("jwt secret is required")
	}
	if cfg.AccessTokenExpiry <= 0 {
		return nil, errors.New("access token expiry must be positive")
	}
	if cfg.RefreshTokenExpiry <= 0 {
		return nil, errors.New("refresh token expiry must be positive")
	}

	return &AuthService{
		cfg:           cfg,
		secret:        []byte(cfg.Secret),
		accessExpiry:  cfg.AccessTokenExpiry,
		refreshExpiry: cfg.RefreshTokenExpiry,
	}, nil
}

func (s *AuthService) GenerateTokenPair(username string) (TokenPair, error) {
	access, err := s.generateToken(username, tokenTypeAccess, s.accessExpiry)
	if err != nil {
		return TokenPair{}, err
	}

	refresh, err := s.generateToken(username, tokenTypeRefresh, s.refreshExpiry)
	if err != nil {
		return TokenPair{}, err
	}

	return TokenPair{
		AccessToken:  access,
		RefreshToken: refresh,
	}, nil
}

func (s *AuthService) AccessExpiry() time.Duration {
	return s.accessExpiry
}

func (s *AuthService) RefreshExpiry() time.Duration {
	return s.refreshExpiry
}

func (s *AuthService) Middleware() fiber.Handler {
	return func(c fiber.Ctx) error {
		tokenString := c.Get("Auth-Token")
		if tokenString == "" {
			return fiber.NewError(fiber.StatusUnauthorized, "missing token header")
		}

		claims, err := s.parseToken(tokenString)
		if err != nil {
			return fiber.NewError(fiber.StatusUnauthorized, err.Error())
		}
		if claims.TokenType != tokenTypeAccess {
			return fiber.NewError(fiber.StatusUnauthorized, "access token required")
		}

		c.Locals("authClaims", claims)
		return c.Next()
	}
}

func (s *AuthService) Refresh(refreshToken string) (TokenPair, error) {
	claims, err := s.parseToken(refreshToken)
	if err != nil {
		return TokenPair{}, err
	}
	if claims.TokenType != tokenTypeRefresh {
		return TokenPair{}, errors.New("refresh token required")
	}
	return s.GenerateTokenPair(claims.Username)
}

func (s *AuthService) ValidateAccessToken(tokenString string) (*Claims, error) {
	claims, err := s.parseToken(tokenString)
	if err != nil {
		return nil, err
	}
	if claims.TokenType != tokenTypeAccess {
		return nil, errors.New("access token required")
	}
	return claims, nil
}

func ClaimsFromCtx(c fiber.Ctx) (*Claims, bool) {
	val := c.Locals("authClaims")
	if val == nil {
		return nil, false
	}
	claims, ok := val.(*Claims)
	return claims, ok
}

func (s *AuthService) parseToken(tokenString string) (*Claims, error) {
	claims := &Claims{}
	token, err := jwt.ParseWithClaims(tokenString, claims, func(t *jwt.Token) (interface{}, error) {
		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fiber.ErrUnauthorized
		}
		return s.secret, nil
	})
	if err != nil || !token.Valid {
		return nil, errors.New("invalid or expired token")
	}
	if s.cfg.Issuer != "" && claims.Issuer != "" && claims.Issuer != s.cfg.Issuer {
		return nil, errors.New("invalid token issuer")
	}

	return claims, nil
}

func (s *AuthService) generateToken(username, tokenType string, expiry time.Duration) (string, error) {
	claims := Claims{
		Username:  username,
		TokenType: tokenType,
		RegisteredClaims: jwt.RegisteredClaims{
			Issuer:    s.cfg.Issuer,
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(expiry)),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	return token.SignedString(s.secret)
}