-

internal/services/token_service.go

@@ -194,7 +194,14 @@ func (s *tokenService) Delete(ctx context.Context, tokenID uuid.UUID, userID str
 		return err
 	}
 
-	// TODO: Revoke associated permissions
+	// Revoke associated permissions when deleting a static token
+	err = s.grantRepo.RevokeAllPermissions(ctx, domain.TokenTypeStatic, tokenID, "system-cleanup")
+	if err != nil {
+		s.logger.Warn("Failed to revoke permissions for deleted token", 
+			zap.String("token_id", tokenID.String()),
+			zap.Error(err))
+		// Don't fail the deletion if permission revocation fails
+	}
 
 	return nil
 }
@@ -565,13 +572,74 @@ func (s *tokenService) verifyUserToken(ctx context.Context, req *domain.VerifyRe
 func (s *tokenService) RenewUserToken(ctx context.Context, req *domain.RenewRequest) (*domain.RenewResponse, error) {
 	s.logger.Info("Renewing user token", zap.String("app_id", req.AppID), zap.String("user_id", req.UserID))
 
-	// TODO: Validate current token
-	// TODO: Generate new token with extended expiry but same max valid date
+	// Get application to validate against and get HMAC key
+	app, err := s.appRepo.GetByID(ctx, req.AppID)
+	if err != nil {
+		s.logger.Error("Failed to get application for token renewal", zap.Error(err), zap.String("app_id", req.AppID))
+		return &domain.RenewResponse{
+			Error: "invalid_application",
+		}, nil
+	}
+
+	// Validate current token
+	currentToken, err := s.tokenProvider.ValidateUserToken(ctx, req.Token, app.HMACKey)
+	if err != nil {
+		s.logger.Warn("Invalid token for renewal", zap.Error(err), zap.String("app_id", req.AppID), zap.String("user_id", req.UserID))
+		return &domain.RenewResponse{
+			Error: "invalid_token",
+		}, nil
+	}
+
+	// Verify token belongs to the requested user
+	if currentToken.UserID != req.UserID {
+		s.logger.Warn("Token user ID mismatch during renewal", 
+			zap.String("expected", req.UserID), 
+			zap.String("actual", currentToken.UserID))
+		return &domain.RenewResponse{
+			Error: "invalid_token",
+		}, nil
+	}
+
+	// Check if token is still within its maximum validity period
+	if time.Now().After(currentToken.MaxValidAt) {
+		s.logger.Warn("Token is past maximum validity period", 
+			zap.String("user_id", req.UserID),
+			zap.Time("max_valid_at", currentToken.MaxValidAt))
+		return &domain.RenewResponse{
+			Error: "token_expired",
+		}, nil
+	}
+
+	// Generate new token with extended expiry but same max valid date and permissions
+	newToken := &domain.UserToken{
+		AppID:       req.AppID,
+		UserID:      req.UserID,
+		Permissions: currentToken.Permissions,
+		IssuedAt:    time.Now(),
+		ExpiresAt:   time.Now().Add(time.Duration(app.TokenRenewalDuration)),
+		MaxValidAt:  currentToken.MaxValidAt, // Keep original max validity
+		TokenType:   domain.TokenTypeUser,
+		Claims:      currentToken.Claims,
+	}
+
+	// Ensure the new expiry doesn't exceed max valid date
+	if newToken.ExpiresAt.After(newToken.MaxValidAt) {
+		newToken.ExpiresAt = newToken.MaxValidAt
+	}
+
+	// Generate the actual JWT token
+	tokenString, err := s.tokenProvider.GenerateUserToken(ctx, newToken, app.HMACKey)
+	if err != nil {
+		s.logger.Error("Failed to generate renewed token", zap.Error(err), zap.String("user_id", req.UserID))
+		return &domain.RenewResponse{
+			Error: "token_generation_failed",
+		}, nil
+	}
 
 	response := &domain.RenewResponse{
-		Token:      "renewed-token-placeholder",
-		ExpiresAt:  time.Now().Add(7 * 24 * time.Hour),
-		MaxValidAt: time.Now().Add(30 * 24 * time.Hour),
+		Token:      tokenString,
+		ExpiresAt:  newToken.ExpiresAt,
+		MaxValidAt: newToken.MaxValidAt,
 	}
 
 	return response, nil