From f2f7819f8cdc9873e32a62d941ef7db163598987 Mon Sep 17 00:00:00 2001
From: Alexey <alex@oblat.lv>
Date: Sat, 3 Jan 2026 15:43:12 +0200
Subject: [PATCH] add refresh method

---
 api/auth/refresh.go | 56 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 api/auth/refresh.go

diff --git a/api/auth/refresh.go b/api/auth/refresh.go
new file mode 100644
index 0000000..6f1519b
--- /dev/null
+++ b/api/auth/refresh.go
@@ -0,0 +1,56 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+type refreshResponse struct {
+	Access string `json:"accessToken"`
+}
+
+// @Summary Refresh tokens
+// @Description Requires valid HttpOnly refresh_token cookie
+// @Tags auth
+// @Produce json
+// @Security RefreshCookieAuth
+// @Success 200 {object} refreshResponse
+// @Failure 401 {object} server.ProblemDetails
+// @Failure 500 {object} server.ProblemDetails
+// @Router /api/auth/refresh [post]
+func (h *authHandler) handleRefresh(w http.ResponseWriter, r *http.Request) {
+	refreshCookie, err := r.Cookie("refresh_token")
+	if err != nil && errors.Is(err, http.ErrNoCookie) {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	refreshStr := refreshCookie.Value
+	if refreshStr == "" {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	tokens, err := h.a.RefreshTokens(refreshStr)
+	if err != nil {
+		if errors.Is(err, auth.ErrInvalidToken) {
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-invalid", "Refresh token is invalid", "Refresh token is invalid", r)
+		} else {
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error: taking cookies anyway", r)
+		}
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    tokens.Refresh,
+		MaxAge:   3600,
+		Path:     "/api/auth/refresh",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	var resp refreshResponse
+	resp.Access = tokens.Access
+	_ = json.NewEncoder(w).Encode(resp)
+}