internal/oauth/token.go

@@ -269,6 +269,26 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		refreshJTI, err := uuid.Parse(claims.ID)
+		if err != nil {
+			log.Printf("ERR: Failed to parse refresh token JTI as uuid: %v\n", err)
+			web.Error(w, "failed to refresh token", http.StatusInternalServerError)
+			return
+		}
+
+		session, err := h.repo.GetServiceSessionByRefreshJTI(r.Context(), &refreshJTI)
+		if err != nil {
+			log.Printf("ERR: Failed to find session by '%s' refresh jti: %v\n", refreshJTI.String(), err)
+			web.Error(w, "session invalid", http.StatusUnauthorized)
+			return
+		}
+
+		if !session.IsActive {
+			log.Printf("INFO: Session with id '%s' is not active", session.ID.String())
+			web.Error(w, "session ended", http.StatusUnauthorized)
+			return
+		}
+
 		userID, err := uuid.Parse(claims.UserID)
 		if err != nil {
 			web.Error(w, "invalid user credentials in refresh token", http.StatusBadRequest)
@@ -284,6 +304,17 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 
 		id, access, refresh, err := h.signApiTokens(&user, &apiService, nil)
 
+		if err := h.repo.UpdateServiceSessionTokens(r.Context(), repository.UpdateServiceSessionTokensParams{
+			ID:             session.ID,
+			AccessTokenID:  &access.ID,
+			RefreshTokenID: &refresh.ID,
+			ExpiresAt:      &refresh.ExpiresAt,
+		}); err != nil {
+			log.Printf("ERR: Failed to update service session with '%s' id: %v\n", session.ID.String(), err)
+			web.Error(w, "failed to update session", http.StatusInternalServerError)
+			return
+		}
+
 		type Response struct {
 			IdToken      string  `json:"id_token"`
 			TokenType    string  `json:"token_type"`