vitorhugo-java
diff --git a/‎src/main/java/com/espacogeek/geek/config/GraphQlCookieInterceptor.java‎
Lines changed: 38 additions & 44 deletions b/‎src/main/java/com/espacogeek/geek/config/GraphQlCookieInterceptor.java‎
Lines changed: 38 additions & 44 deletions
diff --git a/‎src/main/java/com/espacogeek/geek/config/JwtConfig.java‎
Lines changed: 89 additions & 39 deletions b/‎src/main/java/com/espacogeek/geek/config/JwtConfig.java‎
Lines changed: 89 additions & 39 deletions
@@ -1,7 +1,8 @@
 package com.espacogeek.geek.config;
 
 import java.net.URI;
-import java.util.Map;
+import java.util.ArrayList;
+import java.util.List;
 
 import org.springframework.context.annotation.Configuration;
 import org.springframework.graphql.server.WebGraphQlInterceptor;
@@ -10,12 +11,25 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseCookie;
 import org.springframework.lang.NonNull;
-import org.springframework.util.StringUtils;
 
 import reactor.core.publisher.Mono;
 
 /**
- * Interceptor to set/clear HttpOnly auth cookie after login/logout GraphQL operations.
+ * Interceptor that manages {@code refreshToken} HttpOnly cookie operations for login,
+ * refreshToken, and logout GraphQL mutations.
+ *
+ * <p>Before execution begins, this interceptor injects two shared containers into the
+ * {@link graphql.GraphQLContext}:</p>
+ * <ul>
+ *   <li>{@code "pendingRefreshTokens"} – controller methods add a refresh token here when
+ *       one should be set as an HttpOnly cookie on the response.</li>
+ *   <li>{@code "clearRefreshCookieHolder"} – a {@code boolean[1]} array; controller methods
+ *       set index {@code [0]} to {@code true} to signal that the refresh token cookie should
+ *       be cleared (e.g., on logout).</li>
+ * </ul>
+ * <p>After execution completes, this interceptor reads the containers and writes the
+ * appropriate {@code Set-Cookie} header to the HTTP response via
+ * {@link WebGraphQlResponse#getResponseHeaders()}.</p>
  */
 @Configuration
 public class GraphQlCookieInterceptor implements WebGraphQlInterceptor {
@@ -26,54 +40,34 @@ public GraphQlCookieInterceptor(JwtConfig jwtConfig) {
         this.jwtConfig = jwtConfig;
     }
 
-    @SuppressWarnings("null")
     @Override
     public @NonNull Mono<WebGraphQlResponse> intercept(@NonNull WebGraphQlRequest request, @NonNull Chain chain) {
+        // Shared containers — populated by controller methods via GraphQLContext during execution
+        List<String> pendingRefreshTokens = new ArrayList<>();
+        boolean[] clearRefreshCookieHolder = {false};
+
+        request.configureExecutionInput((input, builder) ->
+                builder.graphQLContext(ctx -> {
+                    ctx.put("pendingRefreshTokens", pendingRefreshTokens);
+                    ctx.put("clearRefreshCookieHolder", clearRefreshCookieHolder);
+                }).build());
+
         return chain.next(request).map(response -> {
-            String operationName = request.getOperationName();
-            if (!StringUtils.hasText(operationName)) {
-                operationName = extractTopFieldName(request.getDocument());
-            }
+            String origin = request.getHeaders().getFirst(HttpHeaders.ORIGIN);
+            URI serverUri = request.getUri().toUri();
 
-            if (operationName != null) {
-                URI serverUri = request.getUri().toUri();
-                String origin = request.getHeaders().getFirst(HttpHeaders.ORIGIN);
+            if (!pendingRefreshTokens.isEmpty()) {
+                ResponseCookie cookie = jwtConfig.buildRefreshTokenCookie(
+                        pendingRefreshTokens.get(0), origin, serverUri);
+                response.getResponseHeaders().add(HttpHeaders.SET_COOKIE, cookie.toString());
+            }
 
-                Map<String, Object> data = response.getData();
-                if ("login".equals(operationName.toLowerCase())) {
-                    if (data != null) {
-                        Object val = data.get("login");
-                        if (val instanceof String token && !token.isBlank()) {
-                            ResponseCookie cookie = jwtConfig.buildAuthCookie(token, origin, serverUri);
-                            response.getResponseHeaders().add(HttpHeaders.SET_COOKIE, cookie.toString());
-                        }
-                    }
-                } else if ("logout".equals(operationName.toLowerCase())) {
-                    ResponseCookie clear = jwtConfig.clearAuthCookie(origin, serverUri);
-                    response.getResponseHeaders().add(HttpHeaders.SET_COOKIE, clear.toString());
-                }
+            if (clearRefreshCookieHolder[0]) {
+                ResponseCookie clear = jwtConfig.clearRefreshTokenCookie(origin, serverUri);
+                response.getResponseHeaders().add(HttpHeaders.SET_COOKIE, clear.toString());
             }
+
             return response;
         });
     }
-
-    private String extractTopFieldName(String document) {
-        if (document == null) return null;
-        String s = document.stripLeading();
-        int idx = s.indexOf('{');
-        if (idx >= 0) {
-            String after = s.substring(idx + 1).trim();
-            int end = after.indexOf('(');
-            int space = after.indexOf(' ');
-            int brace = after.indexOf('}');
-            int cut = Integer.MAX_VALUE;
-            if (end >= 0) cut = Math.min(cut, end);
-            if (space >= 0) cut = Math.min(cut, space);
-            if (brace >= 0) cut = Math.min(cut, brace);
-            if (cut != Integer.MAX_VALUE) {
-                return after.substring(0, cut).trim();
-            }
-        }
-        return null;
-    }
 }
@@ -33,22 +33,29 @@ public class JwtConfig {
     @Value("${security.jwt.secret:ZmFrZS1zZWNyZXQtZmFrZS1zZWNyZXQtZmFrZS1zZWNyZXQtMTIzNDU2}")
     private String secret;
 
+    /** Long-lived refresh token expiry (default 7 days). Used for the refreshToken cookie. */
     @Value("${security.jwt.expiration-ms:604800000}")
     private long expirationMs;
 
+    /** Short-lived access token expiry (default 15 minutes). Returned in the JSON payload. */
+    @Value("${security.jwt.access-token-expiration-ms:900000}")
+    private long accessTokenExpirationMs;
+
     @Value("${security.jwt.issuer:espaco-geek}")
     private String issuer;
 
-    // Cookie settings
-    @Value("${security.jwt.cookie-name:EG_AUTH}")
-    private String cookieName;
-
+    // Cookie shared settings (path, domain, SameSite) used for both the refresh token cookie
+    // and any other cookie-related operations. The legacy EG_AUTH cookie is no longer used.
     @Value("${security.jwt.cookie-path:/}")
     private String cookiePath;
 
     @Value("${security.jwt.cookie-domain:}")
     private String cookieDomain;
 
+    // Refresh token cookie settings
+    @Value("${security.jwt.refresh-token-cookie-name:refreshToken}")
+    private String refreshTokenCookieName;
+
     // When request is same-site, which SameSite to use (Lax or Strict). Default Lax.
     @Value("${security.jwt.same-site-when-same-site:Lax}")
     private String sameSiteWhenSameSite;
@@ -64,19 +71,13 @@ private SecretKey getSigningKey() {
     }
 
     /**
-     * Generate a signed JWT for the given user.
-     * @param user the authenticated user
-     * @return compact JWT string
+     * Build the normalized roles list for a user.
      */
-    public String generateToken(UserModel user) {
-        Instant now = Instant.now();
-
-        // Build roles list from user.userRole (comma separated) and ensure ID_ claim is included
+    private List<String> buildRolesList(UserModel user) {
         List<String> rolesList = new ArrayList<>();
         String raw = user.getUserRole();
         if (raw != null && !raw.isBlank()) {
             String[] parts = raw.replaceAll("\\s", "").split(",");
-            // Normalize roles: if a role doesn't start with ROLE_ or ID_, prefix with ROLE_
             rolesList.addAll(Arrays.stream(parts)
                     .map(s -> s == null ? null : s.trim())
                     .filter(s -> s != null && !s.isBlank())
@@ -86,24 +87,68 @@ public String generateToken(UserModel user) {
                     })
                     .toList());
         }
-        // Ensure at least ROLE_user is present as a fallback
         if (rolesList.isEmpty()) {
             rolesList.add("ROLE_user");
         }
-        // Add device/user identifier role (keep ID_ as-is)
         rolesList.add("ID_" + user.getId());
+        return rolesList;
+    }
+
+    /**
+     * Generate a short-lived access token (15 min by default) for the given user.
+     * The token carries {@code type=access} and is intended to be returned in the JSON payload.
+     *
+     * @param user the authenticated user
+     * @return compact JWT string
+     */
+    public String generateAccessToken(UserModel user) {
+        Instant now = Instant.now();
+        return Jwts.builder()
+                .issuer(issuer)
+                .subject(user.getEmail())
+                .issuedAt(Date.from(now))
+                .expiration(Date.from(now.plusMillis(accessTokenExpirationMs)))
+                .claim("uid", user.getId())
+                .claim("roles", buildRolesList(user))
+                .claim("type", "access")
+                .signWith(getSigningKey(), Jwts.SIG.HS256)
+                .compact();
+    }
 
+    /**
+     * Generate a long-lived refresh token (7 days by default) for the given user.
+     * The token carries {@code type=refresh} and is stored in the database; it is
+     * delivered to the client via an HttpOnly cookie named {@code refreshToken}.
+     *
+     * @param user the authenticated user
+     * @return compact JWT string
+     */
+    public String generateRefreshToken(UserModel user) {
+        Instant now = Instant.now();
         return Jwts.builder()
                 .issuer(issuer)
                 .subject(user.getEmail())
                 .issuedAt(Date.from(now))
                 .expiration(Date.from(now.plusMillis(expirationMs)))
                 .claim("uid", user.getId())
-                .claim("roles", rolesList)
+                .claim("roles", buildRolesList(user))
+                .claim("type", "refresh")
                 .signWith(getSigningKey(), Jwts.SIG.HS256)
                 .compact();
     }
 
+    /**
+     * Generate a signed JWT access token for the given user.
+     * Delegates to {@link #generateAccessToken(UserModel)}.
+     * Retained for backward compatibility with test code that calls this method directly.
+     *
+     * @param user the authenticated user
+     * @return compact JWT string
+     */
+    public String generateToken(UserModel user) {
+        return generateAccessToken(user);
+    }
+
     /**
      * Validate a token and return its claims if valid.
      * @param token JWT string
@@ -130,46 +175,47 @@ public boolean isValid(String token) {
     }
 
     /**
-     * Get the name of the auth cookie for clients.
+     * Get the name of the refresh token HttpOnly cookie.
      */
-    public String cookieName() {
-        return cookieName;
+    public String refreshTokenCookieName() {
+        return refreshTokenCookieName;
     }
 
     /**
-     * Build the Set-Cookie for the auth token with HttpOnly; Secure; Path=/ and appropriate SameSite.
-     * - If different site (domain/port/scheme) from backend: SameSite=None; Secure
-     * - If same site: SameSite=Lax/Strict based on configuration
+     * Build the HttpOnly {@code refreshToken} Set-Cookie using the request for SameSite/Secure detection.
+     * The cookie is scoped to Path=/ so it is sent to the server on every request,
+     * but since only the {@code refreshToken} mutation reads it, it is safe.
      */
-    public ResponseCookie buildAuthCookie(String token, HttpServletRequest request) {
+    public ResponseCookie buildRefreshTokenCookie(String token, HttpServletRequest request) {
         boolean crossSite = isCrossSite(request);
         String sameSite = crossSite ? "None" : normalizeSameSite(sameSiteWhenSameSite);
         boolean secure = crossSite || request.isSecure();
 
-        ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(cookieName, token)
+        ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(refreshTokenCookieName, token)
                 .httpOnly(true)
                 .secure(secure)
                 .path(cookiePath)
                 .maxAge(Duration.ofMillis(expirationMs))
                 .sameSite(sameSite);
-
         if (cookieDomain != null && !cookieDomain.isBlank()) {
             builder.domain(cookieDomain);
         }
         return builder.build();
     }
 
-    /** Build auth cookie using Origin header and server URI (for GraphQL interceptor). */
-    public ResponseCookie buildAuthCookie(String token, String originHeader, URI serverUri) {
-        boolean crossSite = isCrossSite(originHeader, serverUri);
+    /**
+     * Clear the HttpOnly {@code refreshToken} cookie.
+     */
+    public ResponseCookie clearRefreshTokenCookie(HttpServletRequest request) {
+        boolean crossSite = isCrossSite(request);
         String sameSite = crossSite ? "None" : normalizeSameSite(sameSiteWhenSameSite);
-        boolean secure = crossSite || "https".equalsIgnoreCase(serverUri.getScheme());
+        boolean secure = crossSite || request.isSecure();
 
-        ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(cookieName, token)
+        ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(refreshTokenCookieName, "")
                 .httpOnly(true)
                 .secure(secure)
                 .path(cookiePath)
-                .maxAge(Duration.ofMillis(expirationMs))
+                .maxAge(Duration.ZERO)
                 .sameSite(sameSite);
         if (cookieDomain != null && !cookieDomain.isBlank()) {
             builder.domain(cookieDomain);
@@ -178,32 +224,36 @@ public ResponseCookie buildAuthCookie(String token, String originHeader, URI ser
     }
 
     /**
-     * Build a Set-Cookie header that clears the auth cookie.
+     * Build the HttpOnly {@code refreshToken} Set-Cookie using Origin/server URI for SameSite/Secure detection.
+     * Used by {@link com.espacogeek.geek.config.GraphQlCookieInterceptor} which has access to
+     * the {@code WebGraphQlRequest} headers and URI but not to the raw {@code HttpServletRequest}.
      */
-    public ResponseCookie clearAuthCookie(HttpServletRequest request) {
-        boolean crossSite = isCrossSite(request);
+    public ResponseCookie buildRefreshTokenCookie(String token, String originHeader, URI serverUri) {
+        boolean crossSite = isCrossSite(originHeader, serverUri);
         String sameSite = crossSite ? "None" : normalizeSameSite(sameSiteWhenSameSite);
-        boolean secure = crossSite || request.isSecure();
+        boolean secure = crossSite || "https".equalsIgnoreCase(serverUri.getScheme());
 
-        ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(cookieName, "")
+        ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(refreshTokenCookieName, token)
                 .httpOnly(true)
                 .secure(secure)
                 .path(cookiePath)
-                .maxAge(Duration.ZERO)
+                .maxAge(Duration.ofMillis(expirationMs))
                 .sameSite(sameSite);
         if (cookieDomain != null && !cookieDomain.isBlank()) {
             builder.domain(cookieDomain);
         }
         return builder.build();
     }
 
-    /** Clear auth cookie using Origin header and server URI (for GraphQL interceptor). */
-    public ResponseCookie clearAuthCookie(String originHeader, URI serverUri) {
+    /**
+     * Clear the HttpOnly {@code refreshToken} cookie using Origin/server URI for SameSite/Secure detection.
+     */
+    public ResponseCookie clearRefreshTokenCookie(String originHeader, URI serverUri) {
         boolean crossSite = isCrossSite(originHeader, serverUri);
         String sameSite = crossSite ? "None" : normalizeSameSite(sameSiteWhenSameSite);
         boolean secure = crossSite || "https".equalsIgnoreCase(serverUri.getScheme());
 
-        ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(cookieName, "")
+        ResponseCookie.ResponseCookieBuilder builder = ResponseCookie.from(refreshTokenCookieName, "")
                 .httpOnly(true)
                 .secure(secure)
                 .path(cookiePath)