JWT: separate access tokens and refresh tokens (#1315)

2025-11-19 18:07:12 +00:00
parent f3d963c285
commit 84454b54a1
33 changed files with 983 additions and 303 deletions
--- a/crates/utils/Cargo.toml
+++ b/crates/utils/Cargo.toml
@@ -23,7 +23,7 @@ sentry = { version = "0.41.0", features = ["anyhow", "backtrace", "panic", "debu
 sentry-tracing = { version = "0.41.0", features = ["backtrace"] }
 futures-util = "0.3"
 json-patch = "2.0"
-jsonwebtoken = { version = "10.0.0", features = ["rust_crypto"] }
+jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
 tokio = { workspace = true }
 futures = "0.3.31"
 tokio-stream = { version = "0.1.17", features = ["sync"] }
--- a/crates/utils/src/api/oauth.rs
+++ b/crates/utils/src/api/oauth.rs
@@ -29,6 +29,20 @@ pub struct HandoffRedeemRequest {
 #[ts(export)]
 pub struct HandoffRedeemResponse {
    pub access_token: String,
+    pub refresh_token: String,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone, TS)]
+#[ts(export)]
+pub struct TokenRefreshRequest {
+    pub refresh_token: String,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone, TS)]
+#[ts(export)]
+pub struct TokenRefreshResponse {
+    pub access_token: String,
+    pub refresh_token: String,
 }

 #[derive(Debug, Serialize, Deserialize, Clone, TS)]
--- a/crates/utils/src/jwt.rs
+++ b/crates/utils/src/jwt.rs
@@ -0,0 +1,26 @@
+use chrono::{DateTime, Utc};
+use jsonwebtoken::dangerous::insecure_decode;
+use serde::Deserialize;
+use thiserror::Error;
+
+#[derive(Debug, Error)]
+pub enum TokenClaimsError {
+    #[error("failed to decode JWT: {0}")]
+    Decode(#[from] jsonwebtoken::errors::Error),
+    #[error("missing `exp` claim in token")]
+    MissingExpiration,
+    #[error("invalid `exp` value `{0}`")]
+    InvalidExpiration(i64),
+}
+
+#[derive(Debug, Deserialize)]
+struct ExpClaim {
+    exp: Option<i64>,
+}
+
+/// Extract the expiration timestamp from a JWT without verifying its signature.
+pub fn extract_expiration(token: &str) -> Result<DateTime<Utc>, TokenClaimsError> {
+    let data = insecure_decode::<ExpClaim>(token)?;
+    let exp = data.claims.exp.ok_or(TokenClaimsError::MissingExpiration)?;
+    DateTime::from_timestamp(exp, 0).ok_or(TokenClaimsError::InvalidExpiration(exp))
+}
--- a/crates/utils/src/lib.rs
+++ b/crates/utils/src/lib.rs
@@ -8,6 +8,7 @@ pub mod assets;
 pub mod browser;
 pub mod diff;
 pub mod git;
+pub mod jwt;
 pub mod log_msg;
 pub mod msg_store;
 pub mod path;