Using RefreshToken

Author: Rajeev Kumar Singh

polling-app-server/src/main/java/com/example/polls/controller/AuthController.java

@@ -1,17 +1,19 @@
 package com.example.polls.controller;
 
 import com.example.polls.exception.AppException;
+import com.example.polls.exception.BadRequestException;
+import com.example.polls.model.JwtRefreshToken;
 import com.example.polls.model.Role;
 import com.example.polls.model.RoleName;
 import com.example.polls.model.User;
-import com.example.polls.payload.ApiResponse;
-import com.example.polls.payload.JwtAuthenticationResponse;
-import com.example.polls.payload.LoginRequest;
-import com.example.polls.payload.SignUpRequest;
+import com.example.polls.payload.*;
+import com.example.polls.repository.RefreshTokenRepository;
 import com.example.polls.repository.RoleRepository;
 import com.example.polls.repository.UserRepository;
 import com.example.polls.security.JwtTokenProvider;
+import com.example.polls.security.UserPrincipal;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -27,6 +29,8 @@
 
 import javax.validation.Valid;
 import java.net.URI;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.Collections;
 
 /**
@@ -51,6 +55,12 @@ public class AuthController {
     @Autowired
     JwtTokenProvider tokenProvider;
 
+    @Autowired
+    RefreshTokenRepository refreshTokenRepository;
+
+    @Value("${app.jwtExpirationInMs}")
+    private long jwtExpirationInMs;
+
     @PostMapping("/signin")
     public ResponseEntity<?> authenticateUser(@Valid @RequestBody LoginRequest loginRequest) {
 
@@ -63,8 +73,35 @@ public ResponseEntity<?> authenticateUser(@Valid @RequestBody LoginRequest login
 
         SecurityContextHolder.getContext().setAuthentication(authentication);
 
-        String jwt = tokenProvider.generateToken(authentication);
-        return ResponseEntity.ok(new JwtAuthenticationResponse(jwt));
+        UserPrincipal userPrincipal = (UserPrincipal) authentication.getPrincipal();
+
+        String accessToken = tokenProvider.generateToken(userPrincipal);
+        String refreshToken = tokenProvider.generateRefreshToken();
+
+        saveRefreshToken(userPrincipal, refreshToken);
+
+        return ResponseEntity.ok(new JwtAuthenticationResponse(accessToken, refreshToken, jwtExpirationInMs));
+    }
+
+    @PostMapping("/refreshToken")
+    public ResponseEntity<?> refreshAccessToken(@Valid @RequestBody RefreshTokenRequest refreshTokenRequest) {
+        return refreshTokenRepository.findById(refreshTokenRequest.getRefreshToken()).map(jwtRefreshToken -> {
+            User user = jwtRefreshToken.getUser();
+            String accessToken = tokenProvider.generateToken(UserPrincipal.create(user));
+            return ResponseEntity.ok(new JwtAuthenticationResponse(accessToken, jwtRefreshToken.getToken(), jwtExpirationInMs));
+        }).orElseThrow(() -> new BadRequestException("Invalid Refresh Token"));
+    }
+
+    private void saveRefreshToken(UserPrincipal userPrincipal, String refreshToken) {
+        // Persist Refresh Token
+
+        JwtRefreshToken jwtRefreshToken = new JwtRefreshToken(refreshToken);
+        jwtRefreshToken.setUser(userRepository.getOne(userPrincipal.getId()));
+
+        Instant expirationDateTime = Instant.now().plus(360, ChronoUnit.DAYS);  // Todo Add this in application.properties
+        jwtRefreshToken.setExpirationDateTime(expirationDateTime);
+
+        refreshTokenRepository.save(jwtRefreshToken);
     }
 
     @PostMapping("/signup")

polling-app-server/src/main/java/com/example/polls/model/JwtRefreshToken.java

@@ -0,0 +1,49 @@
+package com.example.polls.model;
+
+import javax.persistence.*;
+import java.time.Instant;
+
+@Entity
+@Table(name = "refresh_tokens")
+public class JwtRefreshToken {
+    @Id
+    private String token;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "user_id", nullable = false)
+    private User user;
+
+    private Instant expirationDateTime;
+
+    public JwtRefreshToken() {
+
+    }
+
+    public JwtRefreshToken(String token) {
+        this.token = token;
+    }
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public User getUser() {
+        return user;
+    }
+
+    public void setUser(User user) {
+        this.user = user;
+    }
+
+    public Instant getExpirationDateTime() {
+        return expirationDateTime;
+    }
+
+    public void setExpirationDateTime(Instant expirationDateTime) {
+        this.expirationDateTime = expirationDateTime;
+    }
+}

polling-app-server/src/main/java/com/example/polls/payload/JwtAuthenticationResponse.java

@@ -5,10 +5,22 @@
  */
 public class JwtAuthenticationResponse {
     private String accessToken;
+    private String refreshToken;
     private String tokenType = "Bearer";
+    private Long expiresInMsec;
 
-    public JwtAuthenticationResponse(String accessToken) {
+    public JwtAuthenticationResponse(String accessToken, String refreshToken, Long expiresInMsec) {
         this.accessToken = accessToken;
+        this.refreshToken = refreshToken;
+        this.expiresInMsec = expiresInMsec;
+    }
+
+    public String getRefreshToken() {
+        return refreshToken;
+    }
+
+    public void setRefreshToken(String refreshToken) {
+        this.refreshToken = refreshToken;
     }
 
     public String getAccessToken() {
@@ -26,4 +38,12 @@ public String getTokenType() {
     public void setTokenType(String tokenType) {
         this.tokenType = tokenType;
     }
+
+    public Long getExpiresInMsec() {
+        return expiresInMsec;
+    }
+
+    public void setExpiresInMsec(Long expiresInMsec) {
+        this.expiresInMsec = expiresInMsec;
+    }
 }

polling-app-server/src/main/java/com/example/polls/payload/RefreshTokenRequest.java

@@ -0,0 +1,16 @@
+package com.example.polls.payload;
+
+import javax.validation.constraints.NotBlank;
+
+public class RefreshTokenRequest {
+    @NotBlank
+    private String refreshToken;
+
+    public String getRefreshToken() {
+        return refreshToken;
+    }
+
+    public void setRefreshToken(String refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+}

polling-app-server/src/main/java/com/example/polls/repository/RefreshTokenRepository.java

@@ -0,0 +1,10 @@
+package com.example.polls.repository;
+
+import com.example.polls.model.JwtRefreshToken;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public interface RefreshTokenRepository extends JpaRepository<JwtRefreshToken, String> {
+
+}

polling-app-server/src/main/java/com/example/polls/security/JwtTokenProvider.java

@@ -8,6 +8,7 @@
 import org.springframework.stereotype.Component;
 
 import java.util.Date;
+import java.util.UUID;
 
 /**
  * Created by rajeevkumarsingh on 19/08/17.
@@ -21,12 +22,9 @@ public class JwtTokenProvider {
     private String jwtSecret;
 
     @Value("${app.jwtExpirationInMs}")
-    private int jwtExpirationInMs;
-
-    public String generateToken(Authentication authentication) {
-
-        UserPrincipal userPrincipal = (UserPrincipal) authentication.getPrincipal();
+    private long jwtExpirationInMs;
 
+    public String generateToken(UserPrincipal userPrincipal) {
         Date now = new Date();
         Date expiryDate = new Date(now.getTime() + jwtExpirationInMs);
 
@@ -38,6 +36,11 @@ public String generateToken(Authentication authentication) {
                 .compact();
     }
 
+    public String generateRefreshToken() {
+        // generate a random UUID as refresh token
+        return UUID.randomUUID().toString();
+    }
+
     public Long getUserIdFromJWT(String token) {
         Claims claims = Jwts.parser()
                 .setSigningKey(jwtSecret)

polling-app-server/src/main/resources/application.properties

@@ -25,7 +25,8 @@ spring.jackson.time-zone= UTC
 
 ## App Properties
 app.jwtSecret= JWTSuperSecretKey
-app.jwtExpirationInMs = 604800000
+#app.jwtExpirationInMs = 604800000
+app.jwtExpirationInMs = 60000
 
 ## Spring Profiles
 # spring.profiles.active=prod