1 files changed, 41 insertions, 7 deletions

diff --git a/api/main.py b/api/main.py
index ac7b927..54d9f5e 100644
--- a/api/main.py
+++ b/api/main.py
@@ -1,11 +1,10 @@
-from fastapi import FastAPI, Depends, HTTPException, Security, status
+import random
+from fastapi import FastAPI, Depends, HTTPException, status
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import RedirectResponse
 from datetime import timedelta
 from typing import Annotated
-from fastapi.security import OAuth2PasswordRequestForm
-import string
-import random
+from fastapi.security import OAuth2PasswordRequestForm, OAuth2PasswordBearer
 
 from api.util.authentication import (
     authenticate_user,
@@ -14,7 +13,7 @@ from api.util.authentication import (
 )
 from api.routes.links_route import router as links_router
 from api.util.db_dependency import get_db
-from api.schemas.auth_schemas import User, Token
+from api.schemas.auth_schemas import Token, User
 
 
 metadata_tags = [
@@ -41,6 +40,10 @@ app.add_middleware(
     allow_credentials=True,
 )
 
+secret_key = random.randbytes(32)
+algorithm = "HS256"
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
+
 # Import routes
 app.include_router(links_router)
 
@@ -65,11 +68,42 @@ async def login_for_access_token(
             detail="Incorrect username or password",
             headers={"WWW-Authenticate": "Bearer"},
         )
+    access_token_expires = timedelta(minutes=15)
+    access_token = create_access_token(
+        data={"sub": user.username, "refresh": False},
+        expires_delta=access_token_expires,
+    )
+    # Create a refresh token - just an access token with a longer expiry
+    # and more restrictions ("refresh" is True)
+    refresh_token_expire = timedelta(days=1)
+    refresh_token = create_access_token(
+        data={"sub": user.username, "refresh": True},
+        expire_delta=refresh_token_expire,
+    )
+    return Token(
+        access_token=access_token,
+        refresh_token=refresh_token,
+        token_type="bearer",
+    )
+
+
+# Full native JWT support is not complete in FastAPI yet :(
+# Part of that is token refresh, so we must implement it ourselves
+@app.post("/refresh")
+async def refresh_access_token(
+    current_user: Annotated[User, Depends(get_current_user, refresh=True)],
+):
+    """
+    Return a new access token if the refresh token is valid
+    """
     access_token_expires = timedelta(minutes=30)
     access_token = create_access_token(
-        data={"sub": user.username}, expires_delta=access_token_expires
+        data={"sub": current_user.username}, expires_delta=access_token_expires
+    )
+    return Token(
+        access_token=access_token,
+        token_type="bearer",
     )
-    return Token(access_token=access_token, token_type="bearer")
 
 
 # Redirect /api -> /api/docs