From 7f5b57516e65405ccd78f2aced3e79abe1f0924b Mon Sep 17 00:00:00 2001
From: Chaoscaot <chaos@chaoscaot.de>
Date: Mon, 17 Feb 2025 18:28:43 +0100
Subject: [PATCH] Reduce access token duration and enhance auth endpoints

---
 .../src/de/steamwar/routes/v2/Auth.kt         | 19 ++++++++++++++++---
 .../src/de/steamwar/util/TokenUtils.kt        |  3 +--
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/WebsiteBackend/src/de/steamwar/routes/v2/Auth.kt b/WebsiteBackend/src/de/steamwar/routes/v2/Auth.kt
index b854d619..9d6a5181 100644
--- a/WebsiteBackend/src/de/steamwar/routes/v2/Auth.kt
+++ b/WebsiteBackend/src/de/steamwar/routes/v2/Auth.kt
@@ -115,7 +115,7 @@ fun Route.configureNewAuth() {
             call.respond(HttpStatusCode.OK)
         }
         route("/state") {
-            post("/create") {
+            post {
                 val request = call.receive<UsernamePassword>()
 
                 val user = SteamwarUser.get(request.name)
@@ -128,12 +128,12 @@ fun Route.configureNewAuth() {
 
                 call.respond(user.createAccessAndRefreshToken(request.keepLoggedIn))
             }
-            post("/refresh") {
+            put {
                 val token = call.principal<SWAuthPrincipal>()
 
                 if (token == null || token.token.type != TokenType.REFRESH_TOKEN) {
                     call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token type", "invalid"))
-                    return@post
+                    return@put
                 }
 
                 val code = token.token.name.substringAfterLast('-')
@@ -145,6 +145,19 @@ fun Route.configureNewAuth() {
 
                 call.respond(token.user.createAccessAndRefreshToken(true))
             }
+            delete {
+                val token = call.principal<SWAuthPrincipal>()
+                token?.let { t ->
+                    t.token.delete()
+                    val code = t.token.name.substringAfterLast('-')
+                    Token.listUser(token.user)
+                        .filter { it.type == TokenType.REFRESH_TOKEN }
+                        .filter { it.name.endsWith(code) }
+                        .forEach { it.delete() }
+                }
+
+                call.respond(HttpStatusCode.OK)
+            }
         }
     }
 }
\ No newline at end of file
diff --git a/WebsiteBackend/src/de/steamwar/util/TokenUtils.kt b/WebsiteBackend/src/de/steamwar/util/TokenUtils.kt
index 7a70c2f3..4f5f8a4f 100644
--- a/WebsiteBackend/src/de/steamwar/util/TokenUtils.kt
+++ b/WebsiteBackend/src/de/steamwar/util/TokenUtils.kt
@@ -23,7 +23,6 @@ import de.steamwar.sql.Token
 import java.time.LocalDateTime
 import kotlin.time.Duration
 import kotlin.time.Duration.Companion.days
-import kotlin.time.Duration.Companion.hours
 import kotlin.time.Duration.Companion.minutes
 import kotlin.time.toJavaDuration
 
@@ -38,7 +37,7 @@ val Token.type: TokenType
 val TokenType.lifetime: Duration
     get() = when (this) {
         TokenType.REFRESH_TOKEN -> 7.days
-        TokenType.ACCESS_TOKEN -> 1.hours
+        TokenType.ACCESS_TOKEN -> 5.minutes
         TokenType.RESET_PASSWORD -> 10.minutes
         TokenType.OLD_TOKEN -> 1.days
     }