ecamp · BacLuc · Sep 6, 2025 · Aug 9, 2025 · Aug 30, 2025 · Aug 30, 2025
diff --git a/.helm/ecamp3/templates/api_configmap.yaml b/.helm/ecamp3/templates/api_configmap.yaml
@@ -7,6 +7,9 @@ metadata:
     {{- include "app.commonLabels" . | nindent 4 }}
 data:
   ADDITIONAL_TRUSTED_HOSTS: {{ .Values.domain | quote }}
+  {{- if not (.Values.api.authenticationTokenTtl | empty) }}
+  AUTHENTICATION_TOKEN_TTL: {{ .Values.api.authenticationTokenTtl | quote }}
+  {{- end }}
   COOKIE_PREFIX: {{ include "api.cookiePrefix" . | quote }}
   APP_ENV: {{ .Values.api.appEnv | quote }}
   APP_DEBUG: {{ .Values.api.appDebug | quote }}

diff --git a/.helm/ecamp3/values.yaml b/.helm/ecamp3/values.yaml
@@ -18,6 +18,7 @@ featureToggle:
   checklist: false # enables checklist feature in frontend
 
 api:
+  authenticationTokenTtl:
   subpath: "/api"
   image:
     repository: "docker.io/ecamp/ecamp3-api"

diff --git a/api/.env b/api/.env
@@ -81,4 +81,6 @@ MAIL_FROM_NAME="eCamp v3"
 RECAPTCHA_SECRET="disabled"
 ###< google/recaptcha ###
 
+# Tokens are valid for 12 hours..
+AUTHENTICATION_TOKEN_TTL=43200
 TRANSLATE_ERRORS_TO_LOCALES="en,de,fr,it,rm"
diff --git a/api/composer.json b/api/composer.json
@@ -23,6 +23,7 @@
         "exercise/htmlpurifier-bundle": "5.1",
         "friendsofsymfony/http-cache": "3.1.1",
         "friendsofsymfony/http-cache-bundle": "3.2.0",
+        "gesdinet/jwt-refresh-token-bundle": "1.5.0",
         "google/recaptcha": "1.3.1",
         "guzzlehttp/guzzle": "7.10.0",
         "knpuniversity/oauth2-client-bundle": "2.18.4",

diff --git a/api/composer.lock b/api/composer.lock
diff --git a/api/config/bundles.php b/api/config/bundles.php
@@ -6,6 +6,7 @@
 use Exercise\HTMLPurifierBundle\ExerciseHTMLPurifierBundle;
 use Fidry\AliceDataFixtures\Bridge\Symfony\FidryAliceDataFixturesBundle;
 use FOS\HttpCacheBundle\FOSHttpCacheBundle;
+use Gesdinet\JWTRefreshTokenBundle\GesdinetJWTRefreshTokenBundle;
 use Hautelook\AliceBundle\HautelookAliceBundle;
 use KnpU\OAuth2ClientBundle\KnpUOAuth2ClientBundle;
 use Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle;
@@ -44,4 +45,5 @@
     SentryBundle::class => ['all' => true],
     TwigExtraBundle::class => ['all' => true],
     FOSHttpCacheBundle::class => ['all' => true],
+    GesdinetJWTRefreshTokenBundle::class => ['all' => true],
 ];
diff --git a/api/config/packages/gesdinet_jwt_refresh_token.yaml b/api/config/packages/gesdinet_jwt_refresh_token.yaml
@@ -0,0 +1,11 @@
+gesdinet_jwt_refresh_token:
+    cookie:
+      enabled: true
+      same_site: strict
+      path: /
+      http_only: true
+      secure: '%env(bool:COOKIE_SECURE)%'
+      remove_token_from_body: true
+    refresh_token_class: App\Entity\RefreshToken
+    single_use: true
+    token_parameter_name: '%env(COOKIE_PREFIX)%refresh_token'
diff --git a/api/config/packages/lexik_jwt_authentication.yaml b/api/config/packages/lexik_jwt_authentication.yaml
@@ -7,9 +7,7 @@ lexik_jwt_authentication:
     public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
     pass_phrase: '%env(JWT_PASSPHRASE)%'
 
-    # Tokens are valid for 12 hours, should be safe because we never expose the whole token to JavaScript.
-    # Of course it would be even better to have only short-lived tokens but renew them on every request.
-    token_ttl: 43200
+    token_ttl: '%env(AUTHENTICATION_TOKEN_TTL)%'
 
     # Read the JWT token from a split cookie: The [api-domain]_jwt_hp and [api-domain]_jwt_s cookies are combined with a period (.)
     # to form the full JWT token.

diff --git a/api/config/packages/security.yaml b/api/config/packages/security.yaml
@@ -28,13 +28,16 @@ security:
             lazy: true
             provider: app_user_provider
             user_checker: App\Security\UserStatusChecker
+            entry_point: jwt
             json_login:
                 check_path: /authentication_token
                 username_path: identifier
                 password_path: password
                 success_handler: lexik_jwt_authentication.handler.authentication_success
                 failure_handler: lexik_jwt_authentication.handler.authentication_failure
             jwt: ~
+            refresh_jwt:
+                check_path: /token/refresh
             custom_authenticators:
                 - App\Security\OAuth\GoogleAuthenticator
                 - App\Security\OAuth\HitobitoAuthenticator
@@ -46,6 +49,7 @@ security:
         - { path: ^/auth, roles: PUBLIC_ACCESS } # OAuth and resend password endpoints
         - { path: ^/content_types, roles: PUBLIC_ACCESS } # Content types is more or less static and the same for all camps
         - { path: ^/invitations/.*/(find|reject), roles: PUBLIC_ACCESS }
+        - { path: ^/token/refresh, roles: PUBLIC_ACCESS }
         - { path: ^/users$, methods: [POST], roles: PUBLIC_ACCESS } # register
         - { path: ^/users/.*/activate$, methods: [PATCH], roles: PUBLIC_ACCESS }
         - { path: .*, roles: [ROLE_USER] } # Protect all other routes must be at the end

diff --git a/api/config/routes.yaml b/api/config/routes.yaml
@@ -4,3 +4,6 @@
 authentication_token:
   path: /authentication_token
   methods: ['POST']
+api_refresh_token:
+  path: /token/refresh
+  methods: ['POST']
diff --git a/api/config/services.yaml b/api/config/services.yaml
@@ -103,6 +103,12 @@ services:
     App\OpenApi\OAuthDecorator:
         decorates: 'api_platform.openapi.factory'
 
+    App\OpenApi\RefreshTokenDecorator:
+        decorates: 'api_platform.openapi.factory'
+        arguments:
+            - '@.inner'
+            - '%env(COOKIE_PREFIX)%'
+
     App\OAuth\UrlGeneratorDecorator:
         class: App\OAuth\UrlGeneratorDecorator
         arguments:

diff --git a/api/migrations/schema/Version20250809140557.php b/api/migrations/schema/Version20250809140557.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20250809140557 extends AbstractMigration {
+    public function getDescription(): string {
+        return 'Add refresh tokens table';
+    }
+
+    public function up(Schema $schema): void {
+        $this->addSql('CREATE TABLE refresh_tokens (refresh_token VARCHAR(128) NOT NULL, username VARCHAR(255) NOT NULL, valid TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL, id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_9BACE7E1C74F2195 ON refresh_tokens (refresh_token)');
+    }
+
+    public function down(Schema $schema): void {
+        $this->addSql('DROP TABLE refresh_tokens');
+    }
+}
diff --git a/api/src/Entity/RefreshToken.php b/api/src/Entity/RefreshToken.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Entity;
+
+use Doctrine\ORM\Mapping as ORM;
+use Gesdinet\JWTRefreshTokenBundle\Entity\RefreshToken as BaseRefreshToken;
+
+#[ORM\Entity]
+#[ORM\Table(name: 'refresh_tokens')]
+class RefreshToken extends BaseRefreshToken {}
diff --git a/api/src/OpenApi/JwtDecorator.php b/api/src/OpenApi/JwtDecorator.php
@@ -38,7 +38,7 @@ public function __invoke(array $context = []): OpenApi {
                 tags: ['Login'],
                 responses: [
                     '204' => [
-                        'description' => "Get a JWT token split across the two cookies {$cookiePrefix}jwt_hp and {$cookiePrefix}jwt_s",
+                        'description' => "Get a JWT token split across the two cookies {$cookiePrefix}jwt_hp and {$cookiePrefix}jwt_s. Also returns a refresh token in {$cookiePrefix}refresh_token",
                     ],
                 ],
                 summary: 'Log in using email and password.',

diff --git a/api/src/OpenApi/RefreshTokenDecorator.php b/api/src/OpenApi/RefreshTokenDecorator.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace App\OpenApi;
+
+use ApiPlatform\OpenApi\Factory\OpenApiFactoryInterface;
+use ApiPlatform\OpenApi\Model;
+use ApiPlatform\OpenApi\OpenApi;
+
+final class RefreshTokenDecorator implements OpenApiFactoryInterface {
+    public function __construct(private OpenApiFactoryInterface $decorated, private string $cookiePrefix) {}
+
+    public function __invoke(array $context = []): OpenApi {
+        $openApi = ($this->decorated)($context);
+
+        $cookiePrefix = $this->cookiePrefix;
+        $pathItem = new Model\PathItem(
+            ref: 'JWT Token Refresh',
+            post: new Model\Operation(
+                operationId: 'postRefreshToken',
+                tags: ['JWT Refresh'],
+                responses: [
+                    '204' => [
+                        'description' => "Get a refreshed JWT token split across the two cookies {$cookiePrefix}jwt_hp and {$cookiePrefix}jwt_s. Also returns a new refresh token {$cookiePrefix}refresh_token.",
+                    ],
+                ],
+                summary: 'Refresh token.',
+            ),
+        );
+        $openApi->getPaths()->addPath('/token/refresh', $pathItem);
+
+        return $openApi;
+    }
+}
diff --git a/api/src/Serializer/Normalizer/UriTemplateNormalizer.php b/api/src/Serializer/Normalizer/UriTemplateNormalizer.php
@@ -51,6 +51,7 @@ public function normalize($data, $format = null, array $context = []): array|\Ar
         $result['_links']['oauthPbsmidata'] = ['href' => $this->urlGenerator->generate('connect_pbsmidata_start').'{?callback}', 'templated' => true];
         $result['_links']['oauthCevidb'] = ['href' => $this->urlGenerator->generate('connect_cevidb_start').'{?callback}', 'templated' => true];
         $result['_links']['oauthJubladb'] = ['href' => $this->urlGenerator->generate('connect_jubladb_start').'{?callback}', 'templated' => true];
+        $result['_links']['refreshToken'] = ['href' => $this->urlGenerator->generate('api_refresh_token')];
         $result['_links']['resetPassword'] = ['href' => $this->urlGenerator->generate('_api_/auth/reset_password{._format}_post').'{/id}', 'templated' => true];
         $result['_links']['resendActivation'] = ['href' => $this->urlGenerator->generate('_api_/auth/resend_activation{._format}_post'), 'templated' => false];
 

diff --git a/api/symfony.lock b/api/symfony.lock
@@ -174,6 +174,20 @@
     "gedmo/doctrine-extensions": {
         "version": "v3.0.5"
     },
+    "gesdinet/jwt-refresh-token-bundle": {
+        "version": "1.5",
+        "recipe": {
+            "repo": "github.com/symfony/recipes-contrib",
+            "branch": "main",
+            "version": "1.0",
+            "ref": "2390b4ed5c195e0b3f6dea45221f3b7c0af523a0"
+        },
+        "files": [
+            "config/packages/gesdinet_jwt_refresh_token.yaml",
+            "config/routes/gesdinet_jwt_refresh_token.yaml",
+            "src/Entity/RefreshToken.php"
+        ]
+    },
     "google/recaptcha": {
         "version": "1.2",
         "recipe": {

diff --git a/api/tests/Api/FirewallTest.php b/api/tests/Api/FirewallTest.php
@@ -116,6 +116,7 @@ private static function isProtectedByFirewall(mixed $endpoint): bool {
             '/auth/resend_activation' => false,
             '/content_types' => false,
             '/invitations' => false,
+            '/token/refresh' => false,
             default => true
         };
     }

diff --git a/api/tests/Api/SnapshotTests/EndpointPerformanceTest.php b/api/tests/Api/SnapshotTests/EndpointPerformanceTest.php
@@ -244,6 +244,7 @@ private static function getCollectionEndpoints() {
                 '/auth/resend_activation' => false,
                 '/invitations' => false,
                 '/personal_invitations' => false,
+                '/token/refresh' => false,
                 default => true
             };
         });

diff --git a/api/tests/Api/SnapshotTests/ResponseSnapshotTest.php b/api/tests/Api/SnapshotTests/ResponseSnapshotTest.php
@@ -117,6 +117,7 @@ public static function getCollectionEndpoints() {
                 '/auth/resend_activation' => false,
                 '/invitations' => false,
                 '/personal_invitations' => false,
+                '/token/refresh' => false,
                 '/users' => false,
                 default => true
             };

diff --git a/...i/SnapshotTests/__snapshots__/ResponseSnapshotTest__testOpenApiSpecMatchesSnapshot__1.yml b/...i/SnapshotTests/__snapshots__/ResponseSnapshotTest__testOpenApiSpecMatchesSnapshot__1.yml
@@ -34692,6 +34692,16 @@ paths:
       summary: 'Updates the ScheduleEntry resource.'
       tags:
         - ScheduleEntry
+  /token/refresh:
+    post:
+      operationId: postRefreshToken
+      responses:
+        204:
+          description: 'Get a refreshed JWT token split across the two cookies example_com_jwt_hp and example_com_jwt_s. Also returns a new refresh token example_com_refresh_token.'
+      summary: 'Refresh token.'
+      tags:
+        - 'JWT Refresh'
+    ref: 'JWT Token Refresh'
   /users:
     get:
       deprecated: false

diff --git a/...SnapshotTests/__snapshots__/ResponseSnapshotTest__testRootEndpointMatchesSnapshot__1.json b/...SnapshotTests/__snapshots__/ResponseSnapshotTest__testRootEndpointMatchesSnapshot__1.json
@@ -111,6 +111,9 @@
             "href": "/profiles{/id}{?user.collaborations.camp,user.collaborations.camp[],user,user[]}",
             "templated": true
         },
+        "refreshToken": {
+            "href": "/token/refresh"
+        },
         "resendActivation": {
             "href": "/auth/resend_activation",
             "templated": false

diff --git a/api/tests/Serializer/Normalizer/UriTemplateNormalizerTest.php b/api/tests/Serializer/Normalizer/UriTemplateNormalizerTest.php
@@ -45,6 +45,9 @@ protected function setUp(): void {
                 case 'connect_jubladb_start':
                     return '/auth/jubladb';
 
+                case 'api_refresh_token':
+                    return '/token/refresh';
+
                 case '_api_/auth/resend_activation{._format}_post':
                     return '/auth/resend_activation';
 
@@ -91,6 +94,9 @@ protected function setUp(): void {
                 'href' => '/auth/reset_password{/id}',
                 'templated' => true,
             ],
+            'refreshToken' => [
+                'href' => '/token/refresh',
+            ],
         ];
     }