implement refresh tokens

Author: brendan-kellam

packages/db/prisma/migrations/20260304233124_add_oauth_refresh_tokens/migration.sql

@@ -0,0 +1,21 @@
+-- CreateTable
+CREATE TABLE "OAuthRefreshToken" (
+    "hash" TEXT NOT NULL,
+    "clientId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "scope" TEXT NOT NULL DEFAULT '',
+    "resource" TEXT,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "OAuthRefreshToken_pkey" PRIMARY KEY ("hash")
+);
+
+-- CreateIndex
+CREATE INDEX "OAuthRefreshToken_clientId_userId_idx" ON "OAuthRefreshToken"("clientId", "userId");
+
+-- AddForeignKey
+ALTER TABLE "OAuthRefreshToken" ADD CONSTRAINT "OAuthRefreshToken_clientId_fkey" FOREIGN KEY ("clientId") REFERENCES "OAuthClient"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "OAuthRefreshToken" ADD CONSTRAINT "OAuthRefreshToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;

packages/db/prisma/schema.prisma

@@ -365,8 +365,9 @@ model User {
   chats Chat[]
   sharedChats ChatAccess[]
 
-  oauthTokens    OAuthToken[]
-  oauthAuthCodes OAuthAuthorizationCode[]
+  oauthTokens        OAuthToken[]
+  oauthAuthCodes     OAuthAuthorizationCode[]
+  oauthRefreshTokens OAuthRefreshToken[]
 
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
@@ -501,8 +502,9 @@ model OAuthClient {
   redirectUris String[]
   createdAt    DateTime @default(now())
 
-  authCodes OAuthAuthorizationCode[]
-  tokens    OAuthToken[]
+  authCodes     OAuthAuthorizationCode[]
+  tokens        OAuthToken[]
+  refreshTokens OAuthRefreshToken[]
 }
 
 /// A short-lived authorization code issued during the OAuth2 authorization code flow.
@@ -520,6 +522,21 @@ model OAuthAuthorizationCode {
   createdAt     DateTime    @default(now())
 }
 
+/// An opaque OAuth2 refresh token. Single-use with rotation (RFC 6749 Section 10.4, OAuth 2.1 Section 4.3.1).
+model OAuthRefreshToken {
+  hash      String   @id // hashSecret(rawToken secret portion)
+  clientId  String
+  client    OAuthClient @relation(fields: [clientId], references: [id], onDelete: Cascade)
+  userId    String
+  user      User        @relation(fields: [userId], references: [id], onDelete: Cascade)
+  scope     String      @default("")
+  resource  String? // RFC 8707
+  expiresAt DateTime
+  createdAt DateTime    @default(now())
+
+  @@index([clientId, userId])
+}
+
 /// An opaque OAuth2 access token. The raw token is never stored — only its HMAC-SHA256 hash.
 model OAuthToken {
   hash       String   @id // hashSecret(rawToken secret portion)

packages/shared/src/constants.ts

@@ -3,6 +3,15 @@ import { ConfigSettings, IdentityProviderType } from "./types.js";
 
 export const SOURCEBOT_SUPPORT_EMAIL = 'team@sourcebot.dev';
 
+/**
+ * @deprecated Use API_KEY_PREFIX instead.
+ */
+export const LEGACY_API_KEY_PREFIX = 'sourcebot-';
+
+export const API_KEY_PREFIX = 'sbk_';
+export const OAUTH_ACCESS_TOKEN_PREFIX = 'sboa_';
+export const OAUTH_REFRESH_TOKEN_PREFIX = 'sbor_';
+
 export const SOURCEBOT_UNLIMITED_SEATS = -1;
 
 /**

packages/shared/src/crypto.ts

@@ -4,6 +4,7 @@ import { z } from 'zod';
 import { env } from './env.server.js';
 import { Token } from '@sourcebot/schemas/v3/shared.type';
 import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
+import { API_KEY_PREFIX, OAUTH_ACCESS_TOKEN_PREFIX, OAUTH_REFRESH_TOKEN_PREFIX } from './constants.js';
 
 const algorithm = 'aes-256-cbc';
 const ivLength = 16; // 16 bytes for CBC
@@ -35,7 +36,7 @@ export function generateApiKey(): { key: string; hash: string } {
     const hash = hashSecret(secret);
 
     return {
-        key: `sourcebot-${secret}`,
+        key: `${API_KEY_PREFIX}${secret}`,
         hash,
     };
 }
@@ -45,7 +46,17 @@ export function generateOAuthToken(): { token: string; hash: string } {
     const hash = hashSecret(secret);
 
     return {
-        token: `sourcebot-oauth-${secret}`,
+        token: `${OAUTH_ACCESS_TOKEN_PREFIX}${secret}`,
+        hash,
+    };
+}
+
+export function generateOAuthRefreshToken(): { token: string; hash: string } {
+    const secret = crypto.randomBytes(32).toString('hex');
+    const hash = hashSecret(secret);
+
+    return {
+        token: `${OAUTH_REFRESH_TOKEN_PREFIX}${secret}`,
         hash,
     };
 }

packages/shared/src/index.server.ts

@@ -46,6 +46,7 @@ export {
     hashSecret,
     generateApiKey,
     generateOAuthToken,
+    generateOAuthRefreshToken,
     verifySignature,
     encryptOAuthToken,
     decryptOAuthToken,

packages/web/src/__mocks__/prisma.ts

@@ -1,5 +1,5 @@
 import { SINGLE_TENANT_ORG_DOMAIN, SINGLE_TENANT_ORG_ID, SINGLE_TENANT_ORG_NAME } from '@/lib/constants';
-import { Account, ApiKey, OAuthToken, Org, PrismaClient, User } from '@prisma/client';
+import { Account, ApiKey, OAuthRefreshToken, OAuthToken, Org, PrismaClient, User } from '@prisma/client';
 import { beforeEach, vi } from 'vitest';
 import { mockDeep, mockReset } from 'vitest-mock-extended';
 
@@ -52,10 +52,21 @@ export const MOCK_OAUTH_TOKEN: OAuthToken & { user: User & { accounts: Account[]
     clientId: 'test-client-id',
     userId: MOCK_USER_WITH_ACCOUNTS.id,
     scope: '',
-    expiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365), // 1 year from now
+    resource: null,
+    expiresAt: new Date(Date.now() + 1000 * 60 * 60), // 1 hour from now
     createdAt: new Date(),
     lastUsedAt: null,
     user: MOCK_USER_WITH_ACCOUNTS,
 }
 
+export const MOCK_REFRESH_TOKEN: OAuthRefreshToken = {
+    hash: 'refreshtoken',
+    clientId: 'test-client-id',
+    userId: MOCK_USER_WITH_ACCOUNTS.id,
+    scope: '',
+    resource: null,
+    expiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24 * 90), // 90 days from now
+    createdAt: new Date(),
+}
+
 export const userScopedPrismaClientExtension = vi.fn();

packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts

@@ -15,7 +15,7 @@ export const GET = apiHandler(async () => {
         registration_endpoint: `${issuer}/api/ee/oauth/register`,
         revocation_endpoint: `${issuer}/api/ee/oauth/revoke`,
         response_types_supported: ['code'],
-        grant_types_supported: ['authorization_code'],
+        grant_types_supported: ['authorization_code', 'refresh_token'],
         code_challenge_methods_supported: ['S256'],
         token_endpoint_auth_methods_supported: ['none'],
         service_documentation: 'https://docs.sourcebot.dev',

packages/web/src/app/api/(server)/ee/oauth/revoke/route.ts

@@ -1,4 +1,4 @@
-import { revokeToken } from '@/features/oauth/server';
+import { revokeToken } from '@/ee/features/oauth/server';
 import { apiHandler } from '@/lib/apiHandler';
 import { hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';

packages/web/src/app/api/(server)/ee/oauth/token/route.ts

@@ -1,4 +1,4 @@
-import { verifyAndExchangeCode, ACCESS_TOKEN_TTL_SECONDS } from '@/features/oauth/server';
+import { verifyAndExchangeCode, verifyAndRotateRefreshToken, ACCESS_TOKEN_TTL_SECONDS } from '@/ee/features/oauth/server';
 import { apiHandler } from '@/lib/apiHandler';
 import { hasEntitlement } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
@@ -17,45 +17,86 @@ export const POST = apiHandler(async (request: NextRequest) => {
     const formData = await request.formData();
 
     const grantType = formData.get('grant_type');
-    if (grantType !== 'authorization_code') {
-        return Response.json(
-            { error: 'unsupported_grant_type', error_description: 'Only authorization_code is supported.' },
-            { status: 400 }
-        );
-    }
-
-    const code = formData.get('code');
     const clientId = formData.get('client_id');
-    const redirectUri = formData.get('redirect_uri');
-    const codeVerifier = formData.get('code_verifier');
     const resource = formData.get('resource');
 
-    if (!code || !clientId || !redirectUri || !codeVerifier) {
+    if (!clientId) {
         return Response.json(
-            { error: 'invalid_request', error_description: 'Missing required parameters: code, client_id, redirect_uri, code_verifier.' },
+            { error: 'invalid_request', error_description: 'Missing required parameter: client_id.' },
             { status: 400 }
         );
     }
 
-    const result = await verifyAndExchangeCode({
-        rawCode: code.toString(),
-        clientId: clientId.toString(),
-        redirectUri: redirectUri.toString(),
-        codeVerifier: codeVerifier.toString(),
-        resource: resource ? resource.toString() : null,
-    });
+    if (grantType === 'authorization_code') {
+        const code = formData.get('code');
+        const redirectUri = formData.get('redirect_uri');
+        const codeVerifier = formData.get('code_verifier');
 
-    if ('error' in result) {
-        return Response.json(
-            { error: result.error, error_description: result.errorDescription },
-            { status: 400 }
-        );
+        if (!code || !redirectUri || !codeVerifier) {
+            return Response.json(
+                { error: 'invalid_request', error_description: 'Missing required parameters: code, redirect_uri, code_verifier.' },
+                { status: 400 }
+            );
+        }
+
+        const result = await verifyAndExchangeCode({
+            rawCode: code.toString(),
+            clientId: clientId.toString(),
+            redirectUri: redirectUri.toString(),
+            codeVerifier: codeVerifier.toString(),
+            resource: resource ? resource.toString() : null,
+        });
+
+        if ('error' in result) {
+            return Response.json(
+                { error: result.error, error_description: result.errorDescription },
+                { status: 400 }
+            );
+        }
+
+        return Response.json({
+            access_token: result.token,
+            refresh_token: result.refreshToken,
+            token_type: 'Bearer',
+            expires_in: ACCESS_TOKEN_TTL_SECONDS,
+            scope: '',
+        });
+    }
+
+    if (grantType === 'refresh_token') {
+        const rawRefreshToken = formData.get('refresh_token');
+
+        if (!rawRefreshToken) {
+            return Response.json(
+                { error: 'invalid_request', error_description: 'Missing required parameter: refresh_token.' },
+                { status: 400 }
+            );
+        }
+
+        const result = await verifyAndRotateRefreshToken({
+            rawRefreshToken: rawRefreshToken.toString(),
+            clientId: clientId.toString(),
+            resource: resource ? resource.toString() : null,
+        });
+
+        if ('error' in result) {
+            return Response.json(
+                { error: result.error, error_description: result.errorDescription },
+                { status: 400 }
+            );
+        }
+
+        return Response.json({
+            access_token: result.token,
+            refresh_token: result.refreshToken,
+            token_type: 'Bearer',
+            expires_in: ACCESS_TOKEN_TTL_SECONDS,
+            scope: '',
+        });
     }
 
-    return Response.json({
-        access_token: result.token,
-        token_type: 'Bearer',
-        expires_in: ACCESS_TOKEN_TTL_SECONDS,
-        scope: '',
-    });
+    return Response.json(
+        { error: 'unsupported_grant_type', error_description: 'Supported grant types: authorization_code, refresh_token.' },
+        { status: 400 }
+    );
 });

packages/web/src/app/oauth/authorize/page.tsx

@@ -1,5 +1,5 @@
 import { auth } from '@/auth';
-import { generateAndStoreAuthCode } from '@/features/oauth/server';
+import { generateAndStoreAuthCode } from '@/ee/features/oauth/server';
 import { LogoutEscapeHatch } from '@/app/components/logoutEscapeHatch';
 import { ClientIcon } from './components/clientIcon';
 import { Button } from '@/components/ui/button';