chore: authorization with refresh token

Author: fullstackondemand

.env-sample

@@ -9,5 +9,9 @@ CORS_ORIGIN = *
 SHOW_ERROR = 1 or 0
 
 # Access Token Variables
-ACCESS_TOKEN_SECRET =
-ACCESS_TOKEN_EXPIRY =
+ACCESS_TOKEN_SECRET = 
+ACCESS_TOKEN_EXPIRY = In Minutes
+
+# Refresh Token Variables
+REFRESH_TOKEN_SECRET = 
+REFRESH_TOKEN_EXPIRY = In Days

src/Controller/AbstractAuthController.php

@@ -8,7 +8,7 @@
 use Slim\Exception\HttpBadRequestException;
 use Slim\Exception\HttpUnauthorizedException;
 
-/** Abstract Authorization Controller Functions */
+/** Abstract Authentication Controller Functions */
 class AbstractAuthController extends AbstractController {
 
     /** Login Function */
@@ -44,8 +44,12 @@ public function login($req, $res) {
         /** Generated Access Token  */
         $accessToken = $user->generateAccessToken();
 
+        /** Generated Refresh Token  */
+        $refreshToken = $user->generateRefreshToken();
+
         // Add Authorization Cookies
-        setcookie('SSID', $accessToken, time() + 84600 * intval($_ENV['ACCESS_TOKEN_EXPIRY']), path: '/', secure: true, httponly: true);
+        setcookie('SSID', $accessToken, time() + 60 * (int) $_ENV['ACCESS_TOKEN_EXPIRY'], path: '/', secure: true, httponly: true);
+        setcookie('RTID', $refreshToken, time() + 86400 * (int) $_ENV['REFRESH_TOKEN_EXPIRY'], path: '/api/', secure: true, httponly: true);
 
         return response($req, $res, new Response(message: "User logged in successfully.", data: ['accessToken' => $accessToken]));
     }
@@ -55,6 +59,7 @@ public function logout($req, $res) {
 
         // Remove Authorization Cookies
         setcookie('SSID', '', time() - 100, path: '/', secure: true, httponly: true);
+        setcookie('RTID', '', time() - 100, path: '/api/', secure: true, httponly: true);
 
         return response($req, $res, new Response(message: "User logged out successfully."));
     }

src/Entity/AbstractAuthEntity.php

@@ -6,7 +6,7 @@
 use Doctrine\ORM\Mapping as ORM;
 use Doctrine\ORM\Event as Event;
 
-/** Abstract Authorization Entity Functions */
+/** Abstract Authentication Entity Functions */
 class AbstractAuthEntity extends AbstractEntity {
 
     #[ORM\PrePersist]
@@ -31,7 +31,19 @@ public function verifyPassword($password) {
     public function generateAccessToken() {
         return JWT::encode([
             'id' => $this->id,
-            'username' => $this->username
+            'iat' => time(),
+            'exp' => time() + 60 * (int) $_ENV['ACCESS_TOKEN_EXPIRY'],
         ], $_ENV['ACCESS_TOKEN_SECRET'], 'HS256');
     }
+
+    /** Generate Refresh Token Function */
+    public function generateRefreshToken() {
+        return JWT::encode([
+            'id' => $this->id,
+            'username' => $this->username,
+            'name' => $this->name,
+            'iat' => time(),
+            'exp' => time() + 86400 * (int) $_ENV['REFRESH_TOKEN_EXPIRY'],
+        ], $_ENV['REFRESH_TOKEN_SECRET'], 'HS256');
+    }
 }

src/Middleware/AbstractAuthMiddleware.php

@@ -25,6 +25,26 @@ public function process(Request $req, RequestHandler $handler): ResponseInterfac
         /** User Access Token */
         $token = $_COOKIE['SSID'] ?? str_replace('Bearer ', '', $req->getHeader('Authorization'))[0] ?? $req->getQueryParams()['accessToken'] ?? null;
 
+        /** Server Access Token */
+        $refreshToken = $_COOKIE['RTID'] ?? null;
+
+        // Genrate Access Token to Refresh Token
+        if ($refreshToken && !$token):
+
+            /** Decode Json Web Token */
+            $decodedToken = (array) JWT::decode($refreshToken, new Key($_ENV['REFRESH_TOKEN_SECRET'], 'HS256'));
+
+            /** Check User Entity */
+            $user = $this->_user->findById($decodedToken['id']);
+
+            /** Generated Access Token  */
+            $accessToken = $user->generateAccessToken();
+
+            // Add Authorization Cookies
+            setcookie('SSID', $accessToken, time() + 60 * (int) $_ENV['ACCESS_TOKEN_EXPIRY'], path: '/', secure: true, httponly: true);
+            $token = $accessToken;
+        endif;
+
         if (!$token)
             throw new HttpUnauthorizedException($req, 'Unauthorized request');