apskel-pos-backend/internal/service/auth_service.go

package service

import (
	"context"
	"errors"
	"fmt"
	"time"

	"apskel-pos-be/config"
	"apskel-pos-be/internal/contract"
	"apskel-pos-be/internal/models"
	"apskel-pos-be/internal/transformer"

	"github.com/golang-jwt/jwt/v5"
	"github.com/google/uuid"
	"golang.org/x/crypto/bcrypt"
)

type AuthService interface {
	Login(ctx context.Context, req *contract.LoginRequest) (*contract.LoginResponse, error)
	ValidateToken(tokenString string) (*contract.UserResponse, error)
	RefreshToken(ctx context.Context, tokenString string) (*contract.LoginResponse, error)
	Logout(ctx context.Context, tokenString string) error
}

type AuthServiceImpl struct {
	userProcessor     UserProcessor
	jwtSecret         string
	refreshSecret     string
	tokenTTL          time.Duration
	refreshTokenTTL   time.Duration
}

type Claims struct {
	UserID         uuid.UUID `json:"user_id"`
	Email          string    `json:"email"`
	Role           string    `json:"role"`
	OrganizationID uuid.UUID `json:"organization_id"`
	jwt.RegisteredClaims
}

func NewAuthService(userProcessor UserProcessor, authConfig *config.AuthConfig) AuthService {
	return &AuthServiceImpl{
		userProcessor:   userProcessor,
		jwtSecret:       authConfig.AccessTokenSecret(),
		refreshSecret:   authConfig.RefreshTokenSecret(),
		tokenTTL:        authConfig.AccessTokenTTL(),
		refreshTokenTTL: authConfig.RefreshTokenTTL(),
	}
}

func (s *AuthServiceImpl) Login(ctx context.Context, req *contract.LoginRequest) (*contract.LoginResponse, error) {
	userResponse, err := s.userProcessor.GetUserByEmail(ctx, req.Email)
	if err != nil {
		return nil, fmt.Errorf("invalid credentials")
	}

	if !userResponse.IsActive {
		return nil, fmt.Errorf("user account is deactivated")
	}

	userEntity, err := s.userProcessor.GetUserEntityByEmail(ctx, req.Email)
	if err != nil {
		return nil, fmt.Errorf("invalid credentials")
	}

	err = bcrypt.CompareHashAndPassword([]byte(userEntity.PasswordHash), []byte(req.Password))
	if err != nil {
		return nil, fmt.Errorf("invalid credentials")
	}

	contractUserResponse := transformer.UserModelResponseToResponse(userResponse)

	token, expiresAt, err := s.generateToken(userResponse)
	if err != nil {
		return nil, fmt.Errorf("failed to generate token: %w", err)
	}

	refreshToken, refreshExpiresAt, err := s.generateRefreshToken(userResponse)
	if err != nil {
		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
	}

	return &contract.LoginResponse{
		Token:            token,
		RefreshToken:     refreshToken,
		ExpiresAt:        expiresAt,
		RefreshExpiresAt: refreshExpiresAt,
		User:             *contractUserResponse,
	}, nil
}

func (s *AuthServiceImpl) ValidateToken(tokenString string) (*contract.UserResponse, error) {
	claims, err := s.parseToken(tokenString)
	if err != nil {
		return nil, fmt.Errorf("invalid token: %w", err)
	}

	userResponse, err := s.userProcessor.GetUserByID(context.Background(), claims.UserID)
	if err != nil {
		return nil, fmt.Errorf("user not found: %w", err)
	}

	if !userResponse.IsActive {
		return nil, fmt.Errorf("user account is deactivated")
	}

	contractUserResponse := transformer.UserModelResponseToResponse(userResponse)
	return contractUserResponse, nil
}

func (s *AuthServiceImpl) RefreshToken(ctx context.Context, tokenString string) (*contract.LoginResponse, error) {
	claims, err := s.parseToken(tokenString)
	if err != nil {
		return nil, fmt.Errorf("invalid token: %w", err)
	}

	userResponse, err := s.userProcessor.GetUserByID(ctx, claims.UserID)
	if err != nil {
		return nil, fmt.Errorf("user not found: %w", err)
	}

	if !userResponse.IsActive {
		return nil, fmt.Errorf("user account is deactivated")
	}

	contractUserResponse := transformer.UserModelResponseToResponse(userResponse)

	newToken, expiresAt, err := s.generateToken(userResponse)
	if err != nil {
		return nil, fmt.Errorf("failed to generate token: %w", err)
	}

	refreshToken, refreshExpiresAt, err := s.generateRefreshToken(userResponse)
	if err != nil {
		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
	}

	return &contract.LoginResponse{
		Token:            newToken,
		RefreshToken:     refreshToken,
		ExpiresAt:        expiresAt,
		RefreshExpiresAt: refreshExpiresAt,
		User:             *contractUserResponse,
	}, nil
}

func (s *AuthServiceImpl) Logout(ctx context.Context, tokenString string) error {
	// In a more sophisticated implementation, you might want to blacklist the token
	// For now, we'll just validate that the token is valid
	_, err := s.parseToken(tokenString)
	if err != nil {
		return fmt.Errorf("invalid token: %w", err)
	}

	// In the future, you could store blacklisted tokens in Redis or database
	return nil
}

func (s *AuthServiceImpl) generateToken(user *models.UserResponse) (string, time.Time, error) {
	expiresAt := time.Now().Add(s.tokenTTL)

	claims := &Claims{
		UserID:         user.ID,
		Email:          user.Email,
		Role:           string(user.Role),
		OrganizationID: user.OrganizationID,
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: jwt.NewNumericDate(expiresAt),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			NotBefore: jwt.NewNumericDate(time.Now()),
			Issuer:    "apskel-pos",
			Subject:   user.ID.String(),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString([]byte(s.jwtSecret))
	if err != nil {
		return "", time.Time{}, err
	}

	return tokenString, expiresAt, nil
}

func (s *AuthServiceImpl) generateRefreshToken(user *models.UserResponse) (string, time.Time, error) {
	expiresAt := time.Now().Add(s.refreshTokenTTL)

	claims := &Claims{
		UserID:         user.ID,
		Email:          user.Email,
		Role:           string(user.Role),
		OrganizationID: user.OrganizationID,
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: jwt.NewNumericDate(expiresAt),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			NotBefore: jwt.NewNumericDate(time.Now()),
			Issuer:    "apskel-pos-refresh",
			Subject:   user.ID.String(),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString([]byte(s.refreshSecret))
	if err != nil {
		return "", time.Time{}, err
	}

	return tokenString, expiresAt, nil
}

func (s *AuthServiceImpl) parseToken(tokenString string) (*Claims, error) {
	token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
		}
		return []byte(s.jwtSecret), nil
	})

	if err != nil {
		return nil, err
	}

	if claims, ok := token.Claims.(*Claims); ok && token.Valid {
		return claims, nil
	}

	return nil, errors.New("invalid token")
}
init 2025-07-18 20:10:29 +07:00			`package service`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
			`"time"`

Add Refresh token 2025-09-20 17:17:00 +07:00			`"apskel-pos-be/config"`
init 2025-07-18 20:10:29 +07:00			`"apskel-pos-be/internal/contract"`
			`"apskel-pos-be/internal/models"`
			`"apskel-pos-be/internal/transformer"`

			`"github.com/golang-jwt/jwt/v5"`
			`"github.com/google/uuid"`
			`"golang.org/x/crypto/bcrypt"`
			`)`

			`type AuthService interface {`
			`Login(ctx context.Context, req contract.LoginRequest) (contract.LoginResponse, error)`
			`ValidateToken(tokenString string) (*contract.UserResponse, error)`
			`RefreshToken(ctx context.Context, tokenString string) (*contract.LoginResponse, error)`
			`Logout(ctx context.Context, tokenString string) error`
			`}`

			`type AuthServiceImpl struct {`
Add Refresh token 2025-09-20 17:17:00 +07:00			`userProcessor UserProcessor`
			`jwtSecret string`
			`refreshSecret string`
			`tokenTTL time.Duration`
			`refreshTokenTTL time.Duration`
init 2025-07-18 20:10:29 +07:00			`}`

			`type Claims struct {`
			UserID uuid.UUID `json:"user_id"`
			Email string `json:"email"`
			Role string `json:"role"`
			OrganizationID uuid.UUID `json:"organization_id"`
			`jwt.RegisteredClaims`
			`}`

Add Refresh token 2025-09-20 17:17:00 +07:00			`func NewAuthService(userProcessor UserProcessor, authConfig *config.AuthConfig) AuthService {`
init 2025-07-18 20:10:29 +07:00			`return &AuthServiceImpl{`
Add Refresh token 2025-09-20 17:17:00 +07:00			`userProcessor: userProcessor,`
			`jwtSecret: authConfig.AccessTokenSecret(),`
			`refreshSecret: authConfig.RefreshTokenSecret(),`
			`tokenTTL: authConfig.AccessTokenTTL(),`
			`refreshTokenTTL: authConfig.RefreshTokenTTL(),`
init 2025-07-18 20:10:29 +07:00			`}`
			`}`

			`func (s AuthServiceImpl) Login(ctx context.Context, req contract.LoginRequest) (*contract.LoginResponse, error) {`
			`userResponse, err := s.userProcessor.GetUserByEmail(ctx, req.Email)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid credentials")`
			`}`

			`if !userResponse.IsActive {`
			`return nil, fmt.Errorf("user account is deactivated")`
			`}`

			`userEntity, err := s.userProcessor.GetUserEntityByEmail(ctx, req.Email)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid credentials")`
			`}`

			`err = bcrypt.CompareHashAndPassword([]byte(userEntity.PasswordHash), []byte(req.Password))`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid credentials")`
			`}`

			`contractUserResponse := transformer.UserModelResponseToResponse(userResponse)`

			`token, expiresAt, err := s.generateToken(userResponse)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to generate token: %w", err)`
			`}`

Add Refresh token 2025-09-20 17:17:00 +07:00			`refreshToken, refreshExpiresAt, err := s.generateRefreshToken(userResponse)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to generate refresh token: %w", err)`
			`}`

init 2025-07-18 20:10:29 +07:00			`return &contract.LoginResponse{`
Add Refresh token 2025-09-20 17:17:00 +07:00			`Token: token,`
			`RefreshToken: refreshToken,`
			`ExpiresAt: expiresAt,`
			`RefreshExpiresAt: refreshExpiresAt,`
			`User: *contractUserResponse,`
init 2025-07-18 20:10:29 +07:00			`}, nil`
			`}`

			`func (s AuthServiceImpl) ValidateToken(tokenString string) (contract.UserResponse, error) {`
			`claims, err := s.parseToken(tokenString)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid token: %w", err)`
			`}`

			`userResponse, err := s.userProcessor.GetUserByID(context.Background(), claims.UserID)`
			`if err != nil {`
			`return nil, fmt.Errorf("user not found: %w", err)`
			`}`

			`if !userResponse.IsActive {`
			`return nil, fmt.Errorf("user account is deactivated")`
			`}`

			`contractUserResponse := transformer.UserModelResponseToResponse(userResponse)`
			`return contractUserResponse, nil`
			`}`

			`func (s AuthServiceImpl) RefreshToken(ctx context.Context, tokenString string) (contract.LoginResponse, error) {`
			`claims, err := s.parseToken(tokenString)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid token: %w", err)`
			`}`

			`userResponse, err := s.userProcessor.GetUserByID(ctx, claims.UserID)`
			`if err != nil {`
			`return nil, fmt.Errorf("user not found: %w", err)`
			`}`

			`if !userResponse.IsActive {`
			`return nil, fmt.Errorf("user account is deactivated")`
			`}`

			`contractUserResponse := transformer.UserModelResponseToResponse(userResponse)`

			`newToken, expiresAt, err := s.generateToken(userResponse)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to generate token: %w", err)`
			`}`

Add Refresh token 2025-09-20 17:17:00 +07:00			`refreshToken, refreshExpiresAt, err := s.generateRefreshToken(userResponse)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to generate refresh token: %w", err)`
			`}`

init 2025-07-18 20:10:29 +07:00			`return &contract.LoginResponse{`
Add Refresh token 2025-09-20 17:17:00 +07:00			`Token: newToken,`
			`RefreshToken: refreshToken,`
			`ExpiresAt: expiresAt,`
			`RefreshExpiresAt: refreshExpiresAt,`
			`User: *contractUserResponse,`
init 2025-07-18 20:10:29 +07:00			`}, nil`
			`}`

			`func (s *AuthServiceImpl) Logout(ctx context.Context, tokenString string) error {`
			`// In a more sophisticated implementation, you might want to blacklist the token`
			`// For now, we'll just validate that the token is valid`
			`_, err := s.parseToken(tokenString)`
			`if err != nil {`
			`return fmt.Errorf("invalid token: %w", err)`
			`}`

			`// In the future, you could store blacklisted tokens in Redis or database`
			`return nil`
			`}`

			`func (s AuthServiceImpl) generateToken(user models.UserResponse) (string, time.Time, error) {`
			`expiresAt := time.Now().Add(s.tokenTTL)`

			`claims := &Claims{`
			`UserID: user.ID,`
			`Email: user.Email,`
			`Role: string(user.Role),`
			`OrganizationID: user.OrganizationID,`
			`RegisteredClaims: jwt.RegisteredClaims{`
			`ExpiresAt: jwt.NewNumericDate(expiresAt),`
			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`NotBefore: jwt.NewNumericDate(time.Now()),`
			`Issuer: "apskel-pos",`
			`Subject: user.ID.String(),`
			`},`
			`}`

			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`tokenString, err := token.SignedString([]byte(s.jwtSecret))`
			`if err != nil {`
			`return "", time.Time{}, err`
			`}`

			`return tokenString, expiresAt, nil`
			`}`

Add Refresh token 2025-09-20 17:17:00 +07:00			`func (s AuthServiceImpl) generateRefreshToken(user models.UserResponse) (string, time.Time, error) {`
			`expiresAt := time.Now().Add(s.refreshTokenTTL)`

			`claims := &Claims{`
			`UserID: user.ID,`
			`Email: user.Email,`
			`Role: string(user.Role),`
			`OrganizationID: user.OrganizationID,`
			`RegisteredClaims: jwt.RegisteredClaims{`
			`ExpiresAt: jwt.NewNumericDate(expiresAt),`
			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`NotBefore: jwt.NewNumericDate(time.Now()),`
			`Issuer: "apskel-pos-refresh",`
			`Subject: user.ID.String(),`
			`},`
			`}`

			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`tokenString, err := token.SignedString([]byte(s.refreshSecret))`
			`if err != nil {`
			`return "", time.Time{}, err`
			`}`

			`return tokenString, expiresAt, nil`
			`}`

init 2025-07-18 20:10:29 +07:00			`func (s AuthServiceImpl) parseToken(tokenString string) (Claims, error) {`
			`token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])`
			`}`
			`return []byte(s.jwtSecret), nil`
			`})`

			`if err != nil {`
			`return nil, err`
			`}`

			`if claims, ok := token.Claims.(*Claims); ok && token.Valid {`
			`return claims, nil`
			`}`

			`return nil, errors.New("invalid token")`
			`}`