Fix refresh token method, set CSRF SameSite, and minor domain config correction

alielmi98 · alielmi98 · commit bee8aca21eae · 2025-05-10T00:30:40.000+03:30
- change refresh token request method from GET to POST for better security and API alignment.
- Added 'SameSite' attribute to CSRF cookie in production for improved security.
- Corrected a minor typo in domain config (added missing 'a' in "domain")
diff --git a/src/api/handler/base_generic_crud.go b/src/api/handler/base_generic_crud.go
@@ -29,8 +29,7 @@ var logger = logging.NewLogger(config.GetConfig())
 func Create[TRequest any, TUInput any, TUOutput any, TResponse any](c *gin.Context,
 	requestMapper func(req TRequest) (res TUInput),
 	responseMapper func(req TUOutput) (res TResponse),
-	usecaseCreate func(ctx context.Context,
-		req TUInput) (TUOutput, error)) {
+	usecaseCreate func(ctx context.Context, req TUInput) (TUOutput, error)) {
 
 	// bind http request
 	request := new(TRequest)
diff --git a/src/api/handler/user.go b/src/api/handler/user.go
@@ -57,7 +57,16 @@ func (h *UsersHandler) LoginByUsername(c *gin.Context) {
 	}
 
 	// Set the refresh token in a cookie
-	c.SetCookie(constant.RefreshTokenCookieName, token.RefreshToken, int(h.config.JWT.RefreshTokenExpireDuration*60), "/", h.config.Server.Domin, true, true)
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     constant.RefreshTokenCookieName,
+		Value:    token.RefreshToken,
+		MaxAge:   int(h.config.JWT.RefreshTokenExpireDuration * 60),
+		Path:     "/",
+		Domain:   h.config.Server.Domain,
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+	})
 
 	c.JSON(http.StatusCreated, helper.GenerateBaseResponse(token, true, helper.Success))
 }
@@ -118,7 +127,16 @@ func (h *UsersHandler) RegisterLoginByMobileNumber(c *gin.Context) {
 	}
 
 	// Set the refresh token in a cookie
-	c.SetCookie(constant.RefreshTokenCookieName, token.RefreshToken, int(h.config.JWT.RefreshTokenExpireDuration*60), "/", h.config.Server.Domin, true, true)
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     constant.RefreshTokenCookieName,
+		Value:    token.RefreshToken,
+		MaxAge:   int(h.config.JWT.RefreshTokenExpireDuration * 60),
+		Path:     "/",
+		Domain:   h.config.Server.Domain,
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+	})
 
 	c.JSON(http.StatusCreated, helper.GenerateBaseResponse(token, true, helper.Success))
 }
@@ -161,7 +179,7 @@ func (h *UsersHandler) SendOtp(c *gin.Context) {
 // @Success 200 {object} helper.BaseHttpResponse "Success"
 // @Failure 400 {object} helper.BaseHttpResponse "Failed"
 // @Failure 401 {object} helper.BaseHttpResponse "Failed"
-// @Router /v1/users/refresh-token [get]
+// @Router /v1/users/refresh-token [post]
 func (h *UsersHandler) RefreshToken(c *gin.Context) {
 	token, err := h.tokenUsecase.RefreshToken(c)
 	if err != nil {
@@ -170,6 +188,15 @@ func (h *UsersHandler) RefreshToken(c *gin.Context) {
 		return
 	}
 	// Set the refresh token in a cookie
-	c.SetCookie(constant.RefreshTokenCookieName, token.RefreshToken, int(h.config.JWT.RefreshTokenExpireDuration*60), "/", h.config.Server.Domin, true, true)
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     constant.RefreshTokenCookieName,
+		Value:    token.RefreshToken,
+		MaxAge:   int(h.config.JWT.RefreshTokenExpireDuration * 60),
+		Path:     "/",
+		Domain:   h.config.Server.Domain,
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+	})
 	c.JSON(http.StatusOK, helper.GenerateBaseResponse(token, true, helper.Success))
 }
diff --git a/src/api/router/users.go b/src/api/router/users.go
@@ -14,5 +14,5 @@ func User(router *gin.RouterGroup, cfg *config.Config) {
 	router.POST("/login-by-username", h.LoginByUsername)
 	router.POST("/register-by-username", h.RegisterByUsername)
 	router.POST("/login-by-mobile", h.RegisterLoginByMobileNumber)
-	router.GET("/refresh-token", h.RefreshToken)
+	router.POST("/refresh-token", h.RefreshToken)
 }
diff --git a/src/config/config-development.yml b/src/config/config-development.yml
@@ -2,7 +2,7 @@ server:
   internalPort: 5005
   externalPort: 5005
   runMode: debug
-  domin: localhost
+  domain: localhost
 logger:
   filePath: ../logs/
   encoding: json
diff --git a/src/config/config-docker.yml b/src/config/config-docker.yml
@@ -2,7 +2,7 @@ server:
   internalPort: 5000
   externalPort: 0
   runMode: release
-  domin: localhost
+  domain: localhost
 logger:
   filePath: /app/logs/
   encoding: json
diff --git a/src/config/config-production.yml b/src/config/config-production.yml
@@ -2,7 +2,7 @@ server:
   internalPort: 5010
   externalPort: 5010
   runMode: release
-  domin: localhost
+  domain: localhost
 logger:
   filePath: logs/
   encoding: json
diff --git a/src/config/config.go b/src/config/config.go
@@ -24,7 +24,7 @@ type ServerConfig struct {
 	InternalPort string
 	ExternalPort string
 	RunMode      string
-	Domin        string
+	Domain       string
 }
 
 type LoggerConfig struct {

Original file line number	Diff line number	Diff line change
`@@ -14,5 +14,5 @@ func User(router gin.RouterGroup, cfg config.Config) {`
`14`	`14`	`router.POST("/login-by-username", h.LoginByUsername)`
`15`	`15`	`router.POST("/register-by-username", h.RegisterByUsername)`
`16`	`16`	`router.POST("/login-by-mobile", h.RegisterLoginByMobileNumber)`
`17`		`- router.GET("/refresh-token", h.RefreshToken)`
	`17`	`+ router.POST("/refresh-token", h.RefreshToken)`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ type ServerConfig struct {`
`24`	`24`	`InternalPort string`
`25`	`25`	`ExternalPort string`
`26`	`26`	`RunMode string`
`27`		`- Domin string`
	`27`	`+ Domain string`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`type LoggerConfig struct {`