feat(refresh-token): implement refresh token with blacklist mechanism

- add endpoint logout to revoke refesh token
- add logic to check blacklist refresh token

Author: andriawan

app.http

@@ -3,7 +3,7 @@
 @username = alice.johnson@example.com
 @passowrd = password
 @token = eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhcHBzIiwic3ViIjoiYm9iLnNtaXRoQGV4YW1wbGUuY29tIiwiZXhwIjoxNzQ5MzY2MjU0LCJ1c2VyX2lkIjoyLCJpYXQiOjE3NDkzNjYyMzQsInNjb3BlIjoiIn0.FBStVWnq6h45QVXN7oJA6wxLRDW0OoRCWkxUBstP4PfzKJ81UVJzFt8s5N5dEu1dKc5vd66lOIvDw9d6QfGs2DMNf3LYH53X9r1zhNi0fIsShYSWnrCNahYi7zaRmaGys4cUMBehNj4VQGF-fbxW3UdCgbGxsDlPvJviz76Nfo7TyVZlV9ccVJd1mKJHm0E06H_FK8qab_Rq40jLMMt8B5OM3qdNLN_j6fGds-xXclIsT_W-EaNecfhCcDJ_lkqxsJ-sEIrtpiEp4MD1SqMzbXsyoXKKu6gHzwEeGpI6_giQrdCLf2wFEKBhzPeH-9hKGj8afjw8UWTVXXE4zV8HnA
-@refresh = eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhcHBzIiwic3ViIjoiYW5kcmlhd2FuIiwiZXhwIjoxNzQ5MjY1MTgyLCJpYXQiOjE3NDkyNjUwNjIsInNjb3BlIjoiIn0.SVX9hYqVBs4b-7yPUZkBOXSRyGN7n7AW2A5XsMdJws40UBJvpBzztl2ir7L7C8A1FvjOQ59Mz5rAGgXH9xytPwXhRF8KHIXZF_aUO--cYhbjleFPjA1J_Y0QtI5ncEoLz6wMHDuz04_xjvbHaejSVo1dgbcZsq3iYc3UrL_Rgz-CQiwARk8CsOeevAGukxz_px-IMYPA2BIypWHcdbsqkgzcjTMAY0xBjGTEND97p1omvPPIDkT-pln8k3zyUEjY9qeEUT1AJwDB_HgoXePTSeW08oVZvrcWeOSdiEP3q9iuIVo93LjVOApcHJyGWzjEqYe_h1mrm2ciQ541BbzsTQ
+@refresh = eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhcHBzIiwic3ViIjoiYWxpY2Uuam9obnNvbkBleGFtcGxlLmNvbSIsImV4cCI6MTc0OTM4NzY5OCwidXNlcl9pZCI6MSwiaWF0IjoxNzQ5Mzg3NTc4LCJzY29wZSI6IiJ9.iqcexuIGb8m-Z6mUKzRHsksl3GTQoc6wamQGlJhDB-hAiU7YrgJmKdLA4aD3XNbRTi6aiaGS0R5N5GCBh-_O81sFywa_stNgJUEA-o-SnTeBdaJsD1ITPPzu9xivyDR6vhz6LrW1mukwm4mCcR15R-5w0gIU1nl5XhBX3Rggfjr-lnrqEItkWglKtY1haJ_Aemc9EmoCxwSsLZ_OEbKdkzyCxcYcJ_5IvHeU98Z_DzhmnxyFBQXUFYTbENA162P3YL99dGLWSNBQ30akUYacjYT3aF4zif1qAH8M42tgb-OKt9DXlKWsyojyAvH2qQWT8eu5o4uxs1L8Gw5PuQk-JA
 GET {{api}}/users
 Accept: application/json
 Authorization: Bearer {{token}}
@@ -23,5 +23,9 @@ Authorization: Basic {{username}}:{{passowrd}}
 
 POST {{api}}/auth/token/refresh
 Accept: application/json
-Authorization: Bearer {{refresh}}
+Content-Type: application/json
+
+{
+    "token": "{{refresh}}"
+}
 

src/main/java/com/andriawan/andresource/config/CustomAuthenticationEntryPoint.java

@@ -39,7 +39,7 @@ public void commence(
             responseForJson.status(),
             "message",
             responseForJson.message(),
-            "exception", 
+            "exception",
             responseForJson.exceptionClassName(),
             "path",
             request.getRequestURI());

src/main/java/com/andriawan/andresource/config/Security.java

@@ -42,7 +42,9 @@ public class Security {
   @Value("${auth.sample.password}")
   private String samplePassword;
 
-  private String[] publicRoute = {"/v3/api-docs/*", "/v3/api-docs", "/swagger-ui/*"};
+  private String[] publicRoute = {
+    "/v3/api-docs/*", "/v3/api-docs", "/swagger-ui/*", "/api/v1/auth/token/refresh"
+  };
 
   private String loginRoute = "/api/v1/auth/login";
 

src/main/java/com/andriawan/andresource/controller/AuthController.java

@@ -5,11 +5,13 @@
 import java.util.Map;
 import java.util.Optional;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.tomcat.websocket.AuthenticationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -19,6 +21,8 @@
 public class AuthController {
   @Autowired private TokenService tokenService;
 
+  public record RefreshTokenRequest(String token) {}
+
   @SecurityRequirement(name = "basicAuth")
   @PostMapping("/login")
   public ResponseEntity<Map<String, String>> authenticate(Authentication authentication) {
@@ -31,8 +35,16 @@ public ResponseEntity<Map<String, String>> authenticate(Authentication authentic
   }
 
   @SecurityRequirement(name = "jwt")
+  @PostMapping("/logout")
+  public ResponseEntity<Map<String, String>> logout(
+      Authentication authentication, @RequestBody RefreshTokenRequest request) {
+    tokenService.revokeToken(request);
+    return ResponseEntity.ok(Map.of("message", "token deleted"));
+  }
+
   @PostMapping("/token/refresh")
-  public ResponseEntity<Map<String, String>> refreshToken(Authentication authentication) {
-    return ResponseEntity.ok(tokenService.generateToken(authentication));
+  public ResponseEntity<Map<String, String>> refreshToken(@RequestBody RefreshTokenRequest request)
+      throws AuthenticationException {
+    return ResponseEntity.ok(tokenService.doRefreshToken(request));
   }
 }

src/main/java/com/andriawan/andresource/entity/RefreshToken.java

@@ -0,0 +1,35 @@
+package com.andriawan.andresource.entity;
+
+import jakarta.persistence.*;
+import java.time.Instant;
+import java.util.UUID;
+import lombok.*;
+
+@Entity
+@Table(name = "refresh_token", schema = "auth")
+@Data
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+public class RefreshToken {
+
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  private Integer id;
+
+  @Column(nullable = false, unique = true, columnDefinition = "TEXT")
+  private String token;
+
+  @Column(name = "user_id", insertable = false, updatable = false)
+  private Integer userId;
+
+  @ManyToOne(fetch = FetchType.LAZY)
+  @JoinColumn(name = "user_id", foreignKey = @ForeignKey(name = "fk_user"))
+  private User user;
+
+  @Column(name = "expires_at", nullable = false)
+  private Instant expiresAt;
+
+  @Column(name = "blacklisted_at")
+  private Instant blacklistedAt;
+}

src/main/java/com/andriawan/andresource/repository/RefreshTokenRepository.java

@@ -0,0 +1,11 @@
+package com.andriawan.andresource.repository;
+
+import com.andriawan.andresource.entity.RefreshToken;
+import java.util.Optional;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+public interface RefreshTokenRepository extends JpaRepository<RefreshToken, Long> {
+  Optional<RefreshToken> findByToken(String token);
+
+  void deleteByToken(String token);
+}

src/main/java/com/andriawan/andresource/service/TokenService.java

@@ -1,13 +1,24 @@
 package com.andriawan.andresource.service;
 
+import com.andriawan.andresource.controller.AuthController.RefreshTokenRequest;
+import com.andriawan.andresource.entity.RefreshToken;
+import com.andriawan.andresource.entity.User;
+import com.andriawan.andresource.repository.RefreshTokenRepository;
+import jakarta.persistence.EntityNotFoundException;
+import jakarta.transaction.Transactional;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Map;
-import java.util.stream.Collectors;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.jwt.BadJwtException;
+import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtClaimsSet;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.JwtEncoder;
 import org.springframework.security.oauth2.jwt.JwtEncoderParameters;
 import org.springframework.stereotype.Service;
@@ -23,43 +34,107 @@ public class TokenService {
 
   private final JwtEncoder jwtEncoder;
 
-  public record JwtClaimsSetParams(
-      long time, Instant now, String scope, Authentication authentication) {}
+  private final JwtDecoder jwtDecoder;
 
-  public TokenService(JwtEncoder jwtEncoder) {
+  @Autowired JpaUserDetailsService jpaUserDetailsService;
+  @Autowired RefreshTokenRepository refreshTokenRepository;
+
+  public record JwtClaimsSetParams(long time, Instant now, String scope, String username) {}
+
+  public TokenService(JwtEncoder jwtEncoder, JwtDecoder jwtDecoder) {
     this.jwtEncoder = jwtEncoder;
+    this.jwtDecoder = jwtDecoder;
   }
 
   public Map<String, String> generateToken(Authentication authentication) {
+    return generateToken(authentication.getName());
+  }
+
+  public Map<String, String> generateToken(User user) {
+    return generateToken(user.getEmail());
+  }
+
+  public Map<String, String> generateToken(String username) {
     Instant now = Instant.now();
-    String scope =
-        authentication.getAuthorities().stream()
-            .map(GrantedAuthority::getAuthority)
-            .collect(Collectors.joining(" "));
+    String scope = "";
     JwtClaimsSet claimsSetAccessToken =
-        buildJwtClaimsSet(new JwtClaimsSetParams(expiredTokenSeconds, now, scope, authentication));
+        buildJwtClaimsSet(new JwtClaimsSetParams(expiredTokenSeconds, now, scope, username));
     JwtClaimsSet claimsSetRefreshToken =
-        buildJwtClaimsSet(
-            new JwtClaimsSetParams(expiredRefreshSeconds, now, scope, authentication));
+        buildJwtClaimsSet(new JwtClaimsSetParams(expiredRefreshSeconds, now, scope, username));
     String accessToken = encodeToken(claimsSetAccessToken);
-    String refreshToken = encodeToken(claimsSetRefreshToken);
+    String refreshToken = setupRefreshToken(claimsSetRefreshToken);
     return Map.of("access_token", accessToken, "refresh_token", refreshToken);
   }
 
+  public String setupRefreshToken(JwtClaimsSet claimsSetRefreshToken) {
+    String token = encodeToken(claimsSetRefreshToken);
+    refreshTokenRepository.save(
+        RefreshToken.builder()
+            .token(token)
+            .user(jpaUserDetailsService.getAuthenticatedUser().getUser())
+            .expiresAt(claimsSetRefreshToken.getExpiresAt())
+            .build());
+    return token;
+  }
+
+  public void backlistToken(String token) {
+    RefreshToken refreshToken =
+        refreshTokenRepository
+            .findByToken(token)
+            .orElseThrow(() -> new EntityNotFoundException("token not found"));
+    refreshToken.setBlacklistedAt(Instant.now());
+    refreshTokenRepository.save(refreshToken);
+  }
+
+  public boolean isBlacklistedRefreshToken(String token) {
+    boolean state =
+        refreshTokenRepository
+            .findByToken(token)
+            .map(mapToken -> mapToken.getBlacklistedAt() != null)
+            .orElse(true);
+    return state;
+  }
+
   private JwtClaimsSet buildJwtClaimsSet(JwtClaimsSetParams params) {
+
+    Long userId = jpaUserDetailsService.getAuthenticatedUser().getUser().getId();
+
     JwtClaimsSet claimsSet =
         JwtClaimsSet.builder()
             .issuer("apps")
             .issuedAt(params.now())
             .expiresAt(params.now().plus(params.time(), ChronoUnit.SECONDS))
-            .subject(params.authentication().getName())
+            .subject(params.username())
             .claim("scope", params.scope())
-            .claim("user_id", "1")
+            .claim("user_id", userId)
             .build();
     return claimsSet;
   }
 
   public String encodeToken(JwtClaimsSet jwtClaimsSet) {
     return this.jwtEncoder.encode(JwtEncoderParameters.from(jwtClaimsSet)).getTokenValue();
   }
+
+  public void revokeToken(RefreshTokenRequest request) {
+    refreshTokenRepository.deleteByToken(request.token());
+  }
+
+  @Transactional(dontRollbackOn = BadCredentialsException.class)
+  public Map<String, String> doRefreshToken(RefreshTokenRequest request)
+      throws AuthenticationException {
+    try {
+      Jwt jwt = jwtDecoder.decode(request.token());
+      if (isBlacklistedRefreshToken(request.token())) {
+        refreshTokenRepository.deleteByToken(request.token());
+        throw new BadCredentialsException("refresh token is blacklisted");
+      }
+      Map<String, String> response = generateToken(jwt.getSubject());
+      backlistToken(request.token());
+      return response;
+    } catch (InsufficientAuthenticationException | BadJwtException e) {
+      throw new BadCredentialsException(e.getMessage());
+    } catch (Exception e) {
+      throw e;
+    }
+  }
 }

src/main/resources/db/migration/V3__create_refresh_token.sql

@@ -0,0 +1,26 @@
+-- V3__create_refresh_token.sql
+
+-- Create the auth schema if it doesn't exist
+CREATE SCHEMA IF NOT EXISTS auth;
+
+-- Create the refresh_token table
+CREATE TABLE IF NOT EXISTS auth.refresh_token (
+    id SERIAL PRIMARY KEY,
+    token TEXT NOT NULL UNIQUE,
+    user_id INTEGER,
+    expires_at TIMESTAMPTZ NOT NULL,
+    blacklisted_at TIMESTAMPTZ,
+
+    CONSTRAINT fk_user
+        FOREIGN KEY (user_id)
+        REFERENCES public.users(id)
+        ON DELETE SET NULL
+);
+
+-- Index for quick lookup by token
+CREATE INDEX IF NOT EXISTS idx_refresh_token_token
+    ON auth.refresh_token (token);
+
+-- Index to help with cleanup of expired tokens
+CREATE INDEX IF NOT EXISTS idx_refresh_token_blacklisted_at
+    ON auth.refresh_token (blacklisted_at);