jwt: add the (last) helper: VerifyRefreshToken

_examples/auth/jwt/refresh-token/main.go

@@ -60,7 +60,8 @@ func main() {
 	// http://localhost:8080/protected?token={access_token} (200)
 	// http://localhost:8080/protected?token={refresh_token} (401)
 	// http://localhost:8080/refresh?token={refresh_token}
-	// OR (request JSON{refresh_token = {refresh_token}}) (200) (response JSON {access_token, refresh_token})
+	// OR http://localhost:8080/refresh (request JSON{refresh_token = {refresh_token}}) (200) (response JSON {access_token, refresh_token})
+	// OR http://localhost:8080/refresh (request PLAIN TEXT of {refresh_token}) (200) (response JSON {access_token, refresh_token})
 	// http://localhost:8080/refresh?token={access_token} (401)
 	app.Listen(":8080")
 }
@@ -95,45 +96,36 @@ func generateTokenPair(ctx iris.Context, j *jwt.JWT) {
 }
 
 func refreshToken(ctx iris.Context, j *jwt.JWT) {
-	var tokenPair jwt.TokenPair
+	/*
+		We could pass a jwt.Claims pointer as the second argument,
+		but we don't have to because the method already returns
+		the standard JWT claims information back to us:
+		refresh, err := VerifyRefreshToken(ctx, nil)
+	*/
 
-	if token := ctx.URLParam("token"); token != "" {
-		// Grab the refresh token from the url argument.
-		tokenPair.RefreshToken = token
-	} else {
-		// Otherwise grab the refresh token from a JSON body (you can let it fetch by URL parameter too but
-		// it's common practice that you read it from a json body as
-		// it may contain the access token too (the same response we sent on generateTokenPair)).
-		err := ctx.ReadJSON(&tokenPair)
-		if err != nil {
-			ctx.StatusCode(iris.StatusBadRequest)
-			return
-		}
-	}
+	// Assuming you have access to the current user, e.g. sessions.
+	//
+	// Simulate a database call against our jwt subject
+	// to make sure that this refresh token is a pair generated by this user.
+	// * Note: You can remove the ExpectSubject and do this validation later on by yourself.
+	currentUserID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"
 
-	var refreshClaims jwt.Claims
-	_, err := j.VerifyTokenString(ctx, tokenPair.RefreshToken, &refreshClaims, jwt.ExpectRefreshToken)
+	// Verify the refresh token, which its subject MUST match the "currentUserID".
+	_, err := j.VerifyRefreshToken(ctx, nil, jwt.ExpectSubject(currentUserID))
 	if err != nil {
 		ctx.Application().Logger().Debugf("verify refresh token: %v", err)
 		ctx.StatusCode(iris.StatusUnauthorized)
 		return
 	}
 
-	// Assuming you have access to the current user, e.g. sessions.
-	//
-	// Simulate a database call against our jwt subject
-	// to make sure that this refresh token is a pair generated by this user.
+	/* Custom validation checks can be performed after Verify calls too:
 	currentUserID := "53afcf05-38a3-43c3-82af-8bbbe0e4a149"
-
-	userID := refreshClaims.Subject
+	userID := refresh.Claims.Subject
 	if userID != currentUserID {
 		ctx.StopWithStatus(iris.StatusUnauthorized)
 		return
 	}
-	//
-	// Otherwise, the request must contain the (old) access token too,
-	// even if it's invalid, we can still fetch its fields, such as the user id.
-	// [...leave it for you]
+	*/
 
 	// All OK, re-generate the new pair and send to client.
 	generateTokenPair(ctx, j)