new auth

core/schemas.py

@@ -12,12 +12,14 @@ class GoogleAuthRequest(BaseModel):
     """Request with Google ID token from frontend Sign-In."""
     id_token: str = Field(..., min_length=1, description="Google ID token from Sign-In")
     temp_user_id: Optional[str] = Field(None, description="Optional temp user ID for linking")
+    client_type: str = Field("web", description="Client type: 'web' (cookies) or 'mobile' (body)")
 
 
 class AuthResponse(BaseModel):
     """Response after successful Google authentication."""
     success: bool
     access_token: str
+    refresh_token: str
     user_id: str
     email: str
     name: Optional[str] = None
@@ -36,11 +38,13 @@ class UserInfoResponse(BaseModel):
 
 class TokenRefreshRequest(BaseModel):
     """Request to refresh an access token."""
-    token: str = Field(..., description="Current access token to refresh")
+    """Request to refresh an access token."""
+    token: Optional[str] = Field(None, description="Current refresh token (optional if in cookie)")
 
 
 class TokenRefreshResponse(BaseModel):
     """Response with refreshed access token."""
     success: bool
     access_token: str
+    refresh_token: str
 

dependencies.py

@@ -36,16 +36,16 @@ async def check_rate_limit(
     now = datetime.utcnow()
     window_start = now - timedelta(minutes=window_minutes)
     
-    # Check existing limit
+    # Check existing limit (get most recent if multiple exist)
     query = select(RateLimit).where(
         and_(
             RateLimit.identifier == identifier,
             RateLimit.endpoint == endpoint,
             RateLimit.window_start >= window_start
         )
-    )
+    ).order_by(RateLimit.window_start.desc())
     result = await db.execute(query)
-    rate_limit = result.scalar_one_or_none()
+    rate_limit = result.scalars().first()
     
     if rate_limit:
         if rate_limit.attempts >= limit:
@@ -104,6 +104,14 @@ async def get_current_user(
     
     try:
         payload = verify_access_token(token)
+        
+        # Ensure it's an access token, not a refresh token
+        if payload.extra.get("type") == "refresh":
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Cannot use refresh token for API access"
+            )
+            
     except TokenExpiredError:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,

routers/auth.py

@@ -32,6 +32,7 @@ from services.auth_service.google_provider import (
 from services.auth_service.jwt_provider import (
     JWTService,
     create_access_token,
+    create_refresh_token,
     get_jwt_service,
     InvalidTokenError as JWTInvalidTokenError,
 )
@@ -78,15 +79,11 @@ async def google_auth(
     """
     Authenticate with Google ID token.
     
-    Frontend flow:
-    1. User clicks "Sign in with Google" button
-    2. Google returns an ID token
-    3. Frontend sends that token to this endpoint
-    4. We verify it with Google and issue our own JWT
-    
-    Creates new user or returns existing user.
-    Existing users matched by email.
+    Supports two client types:
+    - "web": Sets refresh_token in HttpOnly cookie (secure)
+    - "mobile": Returns refresh_token in JSON body
     """
+    response = JSONResponse(content={})  # Placeholder, will be populated later
     ip = req.client.host
     
     # Rate Limit: 10 attempts per minute per IP
@@ -200,23 +197,44 @@ async def google_auth(
     )
     await db.commit()
     
-    # Create our JWT access token with current token_version
+    # Create our JWT access token and refresh token
     access_token = create_access_token(user.user_id, user.email, user.token_version)
+    refresh_token = create_refresh_token(user.user_id, user.email, user.token_version)
     
     # Sync DB to Drive (Async)
     from services.backup_service import get_backup_service
     backup_service = get_backup_service()
     background_tasks.add_task(backup_service.backup_async)
     
-    return AuthResponse(
-        success=True,
-        access_token=access_token,
-        user_id=user.user_id,
-        email=user.email,
-        name=user.name,
-        credits=user.credits,
-        is_new_user=is_new_user
-    )
+    # Prepare response data
+    response_data = {
+        "success": True,
+        "access_token": access_token,
+        "user_id": user.user_id,
+        "email": user.email,
+        "name": user.name,
+        "credits": user.credits,
+        "is_new_user": is_new_user
+    }
+    
+    # Handle token delivery based on client type
+    if request.client_type == "web":
+        # Web: Set HttpOnly cookie for refresh token
+        response = JSONResponse(content=response_data)
+        response.set_cookie(
+            key="refresh_token",
+            value=refresh_token,
+            httponly=True,
+            secure=True,  # Should be True in production
+            samesite="lax",
+            max_age=7 * 24 * 60 * 60  # 7 days
+        )
+    else:
+        # Mobile: Return refresh token in body
+        response_data["refresh_token"] = refresh_token
+        response = JSONResponse(content=response_data)
+        
+    return response
 
 
 @router.get("/me", response_model=UserInfoResponse)
@@ -254,8 +272,8 @@ async def refresh_token(
     """
     ip = req.client.host
     
-    # Rate Limit: 5 refreshes per minute per IP
-    if not await check_rate_limit(db, ip, "/auth/refresh", 5, 1):
+    # Rate Limit: 20 refreshes per minute per IP (increased for proactive refresh on page load)
+    if not await check_rate_limit(db, ip, "/auth/refresh", 20, 1):
         raise HTTPException(
             status_code=status.HTTP_429_TOO_MANY_REQUESTS,
             detail="Too many refresh attempts"
@@ -264,10 +282,24 @@ async def refresh_token(
     try:
         jwt_service = get_jwt_service()
         
+        # Get token from body or cookie
+        token_to_refresh = request.token
+        using_cookie = False
+        
+        if not token_to_refresh:
+            token_to_refresh = req.cookies.get("refresh_token")
+            using_cookie = True
+            
+        if not token_to_refresh:
+             raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Refresh token missing"
+            )
+        
         # Decode the token (without verifying expiry) to get user info
         import jwt as pyjwt
         payload = pyjwt.decode(
-            request.token,
+            token_to_refresh,
             jwt_service.secret_key,
             algorithms=[jwt_service.algorithm],
             options={"verify_exp": False}
@@ -275,9 +307,17 @@ async def refresh_token(
         
         user_id = payload.get("sub")
         token_version = payload.get("tv", 1)
+        token_type = payload.get("type", "access")
         
         if not user_id:
             raise JWTInvalidTokenError("Token missing required claims")
+            
+        # Verify it's a refresh token
+        if token_type != "refresh":
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid token type. Expected refresh token."
+            )
         
         # Check if user exists and token version is still valid
         query = select(User).where(User.user_id == user_id, User.is_active == True)
@@ -297,13 +337,33 @@ async def refresh_token(
                 detail="Token has been invalidated. Please sign in again."
             )
         
-        # Create new token with current token_version
-        new_token = create_access_token(user.user_id, user.email, user.token_version)
+        # Create new access token
+        new_access_token = create_access_token(user.user_id, user.email, user.token_version)
         
-        return TokenRefreshResponse(
-            success=True,
-            access_token=new_token
-        )
+        # ROTATION: Issue new refresh token
+        new_refresh_token = create_refresh_token(user.user_id, user.email, user.token_version)
+        
+        response_data = {
+            "success": True,
+            "access_token": new_access_token
+        }
+        
+        if using_cookie:
+            # If came from cookie, rotate cookie
+            response = JSONResponse(content=response_data)
+            response.set_cookie(
+                key="refresh_token",
+                value=new_refresh_token,
+                httponly=True,
+                secure=True,
+                samesite="lax",
+                max_age=7 * 24 * 60 * 60
+            )
+            return response
+        else:
+            # If came from body, return in body
+            response_data["refresh_token"] = new_refresh_token
+            return TokenRefreshResponse(**response_data)
     except JWTInvalidTokenError as e:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
@@ -346,4 +406,6 @@ async def logout(
     backup_service = get_backup_service()
     background_tasks.add_task(backup_service.backup_async)
     
-    return {"success": True, "message": "Logged out successfully. All sessions invalidated."}
+    response = JSONResponse(content={"success": True, "message": "Logged out successfully. All sessions invalidated."})
+    response.delete_cookie(key="refresh_token")
+    return response

services/auth_service/jwt_provider.py

@@ -60,6 +60,7 @@ class TokenPayload:
     issued_at: datetime
     expires_at: datetime
     token_version: int = 1
+    token_type: str = "access"  # "access" or "refresh"
     extra: Dict[str, Any] = None
     
     def __post_init__(self):
@@ -122,30 +123,33 @@ class JWTService:
     
     # Default configuration
     DEFAULT_ALGORITHM = "HS256"
-    DEFAULT_EXPIRY_HOURS = 168  # 7 days
+    DEFAULT_ACCESS_EXPIRY_MINUTES = 15  # 15 minutes
+    DEFAULT_REFRESH_EXPIRY_DAYS = 7     # 7 days
     
     def __init__(
         self,
         secret_key: Optional[str] = None,
         algorithm: Optional[str] = None,
-        expiry_hours: Optional[int] = None
+        access_expiry_minutes: Optional[int] = None,
+        refresh_expiry_days: Optional[int] = None
     ):
         """
         Initialize the JWT Service.
         
         Args:
-            secret_key: Secret key for signing tokens. If not provided,
-                       falls back to JWT_SECRET environment variable.
+            secret_key: Secret key for signing tokens.
             algorithm: JWT algorithm (default: HS256).
-            expiry_hours: Token expiry in hours (default: 168 = 7 days).
-        
-        Raises:
-            ConfigurationError: If no secret_key is provided or found.
+            access_expiry_minutes: Access token expiry (default: 15 min).
+            refresh_expiry_days: Refresh token expiry (default: 7 days).
         """
         self.secret_key = secret_key or os.getenv("JWT_SECRET")
         self.algorithm = algorithm or os.getenv("JWT_ALGORITHM", self.DEFAULT_ALGORITHM)
-        self.expiry_hours = expiry_hours or int(
-            os.getenv("JWT_EXPIRY_HOURS", str(self.DEFAULT_EXPIRY_HOURS))
+        
+        self.access_expiry_minutes = access_expiry_minutes or int(
+            os.getenv("JWT_ACCESS_EXPIRY_MINUTES", str(self.DEFAULT_ACCESS_EXPIRY_MINUTES))
+        )
+        self.refresh_expiry_days = refresh_expiry_days or int(
+            os.getenv("JWT_REFRESH_EXPIRY_DAYS", str(self.DEFAULT_REFRESH_EXPIRY_DAYS))
         )
         
         if not self.secret_key:
@@ -163,40 +167,38 @@ class JWTService:
             )
         
         logger.info(
-            f"JWTService initialized (algorithm={self.algorithm}, "
-            f"expiry={self.expiry_hours}h)"
+            f"JWTService initialized (alg={self.algorithm}, "
+            f"access={self.access_expiry_minutes}m, refresh={self.refresh_expiry_days}d)"
         )
     
     def create_token(
         self,
         user_id: str,
         email: str,
+        token_type: str = "access",
         token_version: int = 1,
         extra_claims: Optional[Dict[str, Any]] = None,
-        expiry_hours: Optional[int] = None
+        expiry_delta: Optional[timedelta] = None
     ) -> str:
         """
-        Create a JWT token for a user.
-        
-        Args:
-            user_id: The user's unique identifier.
-            email: The user's email address.
-            token_version: User's current token version for invalidation.
-            extra_claims: Additional claims to include in the token.
-            expiry_hours: Custom expiry for this token (overrides default).
-        
-        Returns:
-            str: The encoded JWT token.
+        Create a JWT token.
         """
         now = datetime.utcnow()
-        expiry = expiry_hours or self.expiry_hours
+        
+        if expiry_delta:
+            expires_at = now + expiry_delta
+        elif token_type == "refresh":
+            expires_at = now + timedelta(days=self.refresh_expiry_days)
+        else:
+            expires_at = now + timedelta(minutes=self.access_expiry_minutes)
         
         payload = {
             "sub": user_id,
             "email": email,
-            "tv": token_version,  # Token version for invalidation
+            "type": token_type,
+            "tv": token_version,
             "iat": now,
-            "exp": now + timedelta(hours=expiry),
+            "exp": expires_at,
         }
         
         if extra_claims:
@@ -204,8 +206,18 @@ class JWTService:
         
         token = jwt.encode(payload, self.secret_key, algorithm=self.algorithm)
         
-        logger.debug(f"Created token for user_id={user_id} (version={token_version})")
+        token = jwt.encode(payload, self.secret_key, algorithm=self.algorithm)
+        
+        logger.debug(f"Created {token_type} token for {user_id}")
         return token
+
+    def create_access_token(self, user_id: str, email: str, token_version: int = 1, **kwargs) -> str:
+        """Create a short-lived access token."""
+        return self.create_token(user_id, email, "access", token_version, **kwargs)
+
+    def create_refresh_token(self, user_id: str, email: str, token_version: int = 1, **kwargs) -> str:
+        """Create a long-lived refresh token."""
+        return self.create_token(user_id, email, "refresh", token_version, **kwargs)
     
     def verify_token(self, token: str) -> TokenPayload:
         """
@@ -234,19 +246,20 @@ class JWTService:
             # Extract standard claims
             user_id = payload.get("sub")
             email = payload.get("email")
-            token_version = payload.get("tv", 1)  # Default to 1 for backward compatibility
+            token_type = payload.get("type", "access")  # Default to access for backward compat
+            token_version = payload.get("tv", 1)
             iat = payload.get("iat")
             exp = payload.get("exp")
             
             if not user_id or not email:
                 raise InvalidTokenError("Token missing required claims (sub, email)")
             
-            # Convert timestamps to datetime
+            # Convert timestamps
             issued_at = datetime.utcfromtimestamp(iat) if isinstance(iat, (int, float)) else iat
             expires_at = datetime.utcfromtimestamp(exp) if isinstance(exp, (int, float)) else exp
             
             # Extract extra claims
-            standard_claims = {"sub", "email", "tv", "iat", "exp"}
+            standard_claims = {"sub", "email", "type", "tv", "iat", "exp"}
             extra = {k: v for k, v in payload.items() if k not in standard_claims}
             
             return TokenPayload(
@@ -255,6 +268,7 @@ class JWTService:
                 issued_at=issued_at,
                 expires_at=expires_at,
                 token_version=token_version,
+                token_type=token_type,
                 extra=extra
             )
             
@@ -366,7 +380,13 @@ def create_access_token(user_id: str, email: str, token_version: int = 1, **kwar
     Returns:
         str: The encoded JWT token.
     """
-    return get_jwt_service().create_token(user_id, email, token_version, **kwargs)
+def create_access_token(user_id: str, email: str, token_version: int = 1, **kwargs) -> str:
+    """Convenience function to create an access token."""
+    return get_jwt_service().create_access_token(user_id, email, token_version, **kwargs)
+
+def create_refresh_token(user_id: str, email: str, token_version: int = 1, **kwargs) -> str:
+    """Convenience function to create a refresh token."""
+    return get_jwt_service().create_refresh_token(user_id, email, token_version, **kwargs)
 
 
 def verify_access_token(token: str) -> TokenPayload: