fred-maina · ArhamSyed · Dec 1, 2025
diff --git a/src/main/java/com/fredmaina/chatapp/Auth/Dtos/AuthResponse.java b/src/main/java/com/fredmaina/chatapp/Auth/Dtos/AuthResponse.java
@@ -13,9 +13,10 @@ public class AuthResponse {
     private String message;
     private User user;
     private String token;
+    private String refreshToken;
 
 
-    public AuthResponse(boolean success, String message, User user, String token) {
+    public AuthResponse(boolean success, String message, User user, String token, String refreshToken) {
         this.success = success;
         this.message = message;
         this.user = user;

diff --git a/src/main/java/com/fredmaina/chatapp/Auth/Models/RefreshToken.java b/src/main/java/com/fredmaina/chatapp/Auth/Models/RefreshToken.java
@@ -0,0 +1,29 @@
+package com.fredmaina.chatapp.Auth.Models;
+
+import jakarta.persistence.*;
+import lombok.Getter;
+import lombok.Setter;
+
+import java.time.Instant;
+
+@Entity
+@Getter
+@Setter
+@Table(name = "refresh_tokens")
+public class RefreshToken {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.UUID)
+    private String id;
+
+    @Column(nullable = false, unique = true)
+    private String token;
+
+    @Column(nullable = false)
+    private Instant expiryDate;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "user_id", nullable = false)
+    private User user;
+
+}
diff --git a/src/main/java/com/fredmaina/chatapp/Auth/Repositories/RefreshRepository.java b/src/main/java/com/fredmaina/chatapp/Auth/Repositories/RefreshRepository.java
@@ -0,0 +1,12 @@
+package com.fredmaina.chatapp.Auth.Repositories;
+
+import com.fredmaina.chatapp.Auth.Models.RefreshToken;
+import com.fredmaina.chatapp.Auth.Models.User;
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.Optional;
+
+public interface RefreshRepository extends JpaRepository<RefreshToken, String> {
+    Optional<RefreshToken> findByToken(String token);
+    int deleteByUser(User user);
+}
diff --git a/src/main/java/com/fredmaina/chatapp/Auth/controllers/AuthController.java b/src/main/java/com/fredmaina/chatapp/Auth/controllers/AuthController.java
@@ -2,15 +2,21 @@
 
 
 import com.fredmaina.chatapp.Auth.Dtos.*;
+import com.fredmaina.chatapp.Auth.Models.RefreshToken;
 import com.fredmaina.chatapp.Auth.Models.User;
+import com.fredmaina.chatapp.Auth.Repositories.RefreshRepository;
 import com.fredmaina.chatapp.Auth.Repositories.UserRepository;
 import com.fredmaina.chatapp.Auth.services.AuthService;
 import com.fredmaina.chatapp.Auth.services.JWTService;
+import com.fredmaina.chatapp.Auth.services.RefreshTokenService;
 import jakarta.validation.Valid;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseCookie;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 
@@ -28,17 +34,34 @@ public class AuthController {
     @Autowired
     UserRepository userRepository;
 
+    @Autowired
+    RefreshRepository refreshTokenRepository;
+
+    @Autowired
+    RefreshTokenService refreshTokenService;
+
 
     @PostMapping("/login")
     public ResponseEntity<AuthResponse> login(@RequestBody LoginRequest loginRequest) {
         AuthResponse authResponse = authService.login(loginRequest);
         if(authResponse.isSuccess()){
-            return ResponseEntity.ok(authResponse);
+            ResponseCookie cookie = ResponseCookie.from("refreshToken", authResponse.getRefreshToken())
+                    .httpOnly(true)
+                    .secure(true)
+                    .sameSite("Strict")
+                    .path("/api/auth/refresh")
+                    .maxAge(7 * 24 * 60 * 60)
+                    .build();
+
+            return ResponseEntity.ok()
+                    .header(HttpHeaders.SET_COOKIE, cookie.toString())
+                    .body(authResponse);
         }
         return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(authResponse);
 
     }
 
+
     @PostMapping("/register")
     public ResponseEntity<AuthResponse> register(@Valid @RequestBody SignUpRequest signUpRequest) {
         AuthResponse authResponse = authService.signUp(signUpRequest);
@@ -128,4 +151,41 @@ public ResponseEntity<Map<String, Object>> checkUsername(@PathVariable String us
             ));
         }
     }
-}
+    @PostMapping("/refresh")
+    public ResponseEntity<?> refresh(@CookieValue("refreshToken") String refreshToken) {
+
+        RefreshToken rt = refreshTokenRepository.findByToken(refreshToken)
+                .orElseThrow(() -> new RuntimeException("Invalid refresh token"));
+
+        refreshTokenService.verifyExpiration(rt);
+
+        String newAccessToken = jwtService.generateToken(rt.getUser().getEmail());
+
+        return ResponseEntity.ok(
+                AuthResponse.builder()
+                        .success(true)
+                        .message("Token refreshed")
+                        .token(newAccessToken)
+                        .refreshToken(refreshToken)
+                        .user(rt.getUser())
+                        .build()
+        );
+    }
+
+    @PostMapping("/logout")
+    public ResponseEntity<?> logout(@AuthenticationPrincipal User user) {
+
+        refreshTokenService.deleteByUser(user);
+
+        ResponseCookie cookie = ResponseCookie.from("refreshToken", "")
+                .httpOnly(true)
+                .secure(true)
+                .path("/")
+                .maxAge(0)
+                .build();
+
+        return ResponseEntity.ok()
+                .header(HttpHeaders.SET_COOKIE, cookie.toString())
+                .body("Logged out");
+    }
+}