Implement refresh-tokens. (resolves #50)

Signed-off-by: Jason Volk <jason@zemos.net>

src/api/client/device.rs

@@ -100,7 +100,8 @@ pub(crate) async fn update_device_route(
 				.create_device(
 					sender_user,
 					&device_id,
-					&appservice.registration.as_token,
+					(&appservice.registration.as_token, None),
+					None,
 					None,
 					Some(client.to_string()),
 				)

src/api/client/mod.rs

@@ -89,7 +89,7 @@ pub(super) use well_known::*;
 const DEVICE_ID_LENGTH: usize = 10;
 
 /// generated user access token length
-const TOKEN_LENGTH: usize = 32;
+const TOKEN_LENGTH: usize = tuwunel_service::users::device::TOKEN_LENGTH;
 
 /// generated user session ID length
 const SESSION_ID_LENGTH: usize = tuwunel_service::uiaa::SESSION_ID_LENGTH;

src/api/client/register.rs

@@ -17,8 +17,9 @@ use ruma::{
 	push,
 };
 use tuwunel_core::{Err, Error, Result, debug_info, error, info, is_equal_to, utils, warn};
+use tuwunel_service::users::device::generate_refresh_token;
 
-use super::{DEVICE_ID_LENGTH, SESSION_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
+use super::{DEVICE_ID_LENGTH, SESSION_ID_LENGTH, join_room_by_id_helper};
 use crate::Ruma;
 
 const RANDOM_USER_ID_LENGTH: usize = 10;
@@ -432,7 +433,12 @@ pub(crate) async fn register_route(
 		.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
 
 	// Generate new token for the device
-	let token = utils::random_string(TOKEN_LENGTH);
+	let (access_token, expires_in) = services
+		.users
+		.generate_access_token(body.body.refresh_token);
+
+	// Generate a new refresh_token if requested by client
+	let refresh_token = expires_in.is_some().then(generate_refresh_token);
 
 	// Create device for this account
 	services
@@ -440,7 +446,8 @@ pub(crate) async fn register_route(
 		.create_device(
 			&user_id,
 			&device_id,
-			&token,
+			(&access_token, expires_in),
+			refresh_token.as_deref(),
 			body.initial_device_display_name.clone(),
 			Some(client.to_string()),
 		)
@@ -574,11 +581,11 @@ pub(crate) async fn register_route(
 	}
 
 	Ok(register::v3::Response {
-		access_token: Some(token),
 		user_id,
 		device_id: Some(device_id),
-		refresh_token: None,
-		expires_in: None,
+		access_token: Some(access_token),
+		refresh_token,
+		expires_in,
 	})
 }
 

src/api/client/session/mod.rs

@@ -3,6 +3,7 @@ mod jwt;
 mod ldap;
 mod logout;
 mod password;
+mod refresh;
 mod token;
 
 use axum::extract::State;
@@ -21,10 +22,12 @@ use ruma::api::client::session::{
 	},
 };
 use tuwunel_core::{Err, Result, info, utils, utils::stream::ReadyExt};
+use tuwunel_service::users::device::generate_refresh_token;
 
 use self::{ldap::ldap_login, password::password_login};
 pub(crate) use self::{
 	logout::{logout_all_route, logout_route},
+	refresh::refresh_token_route,
 	token::login_token_route,
 };
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
@@ -87,7 +90,12 @@ pub(crate) async fn login_route(
 	};
 
 	// Generate a new token for the device
-	let access_token = utils::random_string(TOKEN_LENGTH);
+	let (access_token, expires_in) = services
+		.users
+		.generate_access_token(body.body.refresh_token);
+
+	// Generate a new refresh_token if requested by client
+	let refresh_token = expires_in.is_some().then(generate_refresh_token);
 
 	// Generate new device id if the user didn't specify one
 	let device_id = body
@@ -108,7 +116,8 @@ pub(crate) async fn login_route(
 			.create_device(
 				&user_id,
 				&device_id,
-				&access_token,
+				(&access_token, expires_in),
+				refresh_token.as_deref(),
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
@@ -116,7 +125,13 @@ pub(crate) async fn login_route(
 	} else {
 		services
 			.users
-			.set_access_token(&user_id, &device_id, &access_token)
+			.set_access_token(
+				&user_id,
+				&device_id,
+				&access_token,
+				expires_in,
+				refresh_token.as_deref(),
+			)
 			.await?;
 	}
 
@@ -141,7 +156,7 @@ pub(crate) async fn login_route(
 		device_id,
 		home_server,
 		well_known,
-		expires_in: None,
-		refresh_token: None,
+		expires_in,
+		refresh_token,
 	})
 }

src/api/client/session/refresh.rs

@@ -0,0 +1,54 @@
+use axum::extract::State;
+use axum_client_ip::InsecureClientIp;
+use ruma::api::client::session::refresh_token::v3::{Request, Response};
+use tuwunel_core::{Err, Result, debug_info, err};
+use tuwunel_service::users::device::generate_refresh_token;
+
+use crate::Ruma;
+
+/// # `POST /_matrix/client/v3/refresh`
+///
+/// Refresh an access token.
+///
+/// <https://spec.matrix.org/v1.15/client-server-api/#post_matrixclientv3refresh>
+#[tracing::instrument(skip_all, fields(%client), name = "refresh_token")]
+pub(crate) async fn refresh_token_route(
+	State(services): State<crate::State>,
+	InsecureClientIp(client): InsecureClientIp,
+	body: Ruma<Request>,
+) -> Result<Response> {
+	let refresh_token_claim = body.body.refresh_token;
+
+	if !refresh_token_claim.starts_with("refresh_") {
+		return Err!(Request(Forbidden("Refresh token is malformed.")));
+	}
+
+	let (user_id, device_id, ..) = services
+		.users
+		.find_from_token(&refresh_token_claim)
+		.await
+		.map_err(|e| err!(Request(Forbidden("Refresh token is unrecognized: {e}"))))?;
+
+	// New tokens
+	let refresh_token = Some(generate_refresh_token());
+	let (access_token, expires_in_ms) = services.users.generate_access_token(true);
+
+	services
+		.users
+		.set_access_token(
+			&user_id,
+			&device_id,
+			&access_token,
+			expires_in_ms,
+			refresh_token.as_deref(),
+		)
+		.await?;
+
+	debug_info!(?user_id, ?device_id, ?expires_in_ms, "refreshed their access_token",);
+
+	Ok(Response {
+		access_token,
+		refresh_token,
+		expires_in_ms,
+	})
+}