feat: 添加JWT令牌刷新功能

- 新增 @nestjs/jwt 和 jsonwebtoken 依赖包 - 实现 refreshAccessToken 方法支持令牌续期 - 添加 RefreshTokenDto 和 RefreshTokenResponseDto - 新增 /auth/refresh-token 接口 - 完善令牌刷新的限流和超时控制 - 增加相关单元测试覆盖 - 优化错误处理和日志记录
2026-01-06 16:48:24 +08:00
parent c2ecb3c1a7
commit 3733717d1f
10 changed files with 1304 additions and 74 deletions
--- a/src/business/auth/controllers/login.controller.ts
+++ b/src/business/auth/controllers/login.controller.ts
@@ -13,6 +13,7 @@
 * - POST /auth/forgot-password - 发送密码重置验证码
 * - POST /auth/reset-password - 重置密码
 * - PUT /auth/change-password - 修改密码
+ * - POST /auth/refresh-token - 刷新访问令牌
 * 
 * @author moyin angjustinl
 * @version 1.0.0
@@ -23,7 +24,7 @@ import { Controller, Post, Put, Body, HttpCode, HttpStatus, ValidationPipe, UseP
 import { ApiTags, ApiOperation, ApiResponse as SwaggerApiResponse, ApiBody } from '@nestjs/swagger';
 import { Response } from 'express';
 import { LoginService, ApiResponse, LoginResponse } from '../services/login.service';
-import { LoginDto, RegisterDto, GitHubOAuthDto, ForgotPasswordDto, ResetPasswordDto, ChangePasswordDto, EmailVerificationDto, SendEmailVerificationDto, VerificationCodeLoginDto, SendLoginVerificationCodeDto } from '../dto/login.dto';
+import { LoginDto, RegisterDto, GitHubOAuthDto, ForgotPasswordDto, ResetPasswordDto, ChangePasswordDto, EmailVerificationDto, SendEmailVerificationDto, VerificationCodeLoginDto, SendLoginVerificationCodeDto, RefreshTokenDto } from '../dto/login.dto';
 import { 
  LoginResponseDto, 
  RegisterResponseDto, 
@@ -31,7 +32,8 @@ import {
  ForgotPasswordResponseDto, 
  CommonResponseDto,
  TestModeEmailVerificationResponseDto,
-  SuccessEmailVerificationResponseDto
+  SuccessEmailVerificationResponseDto,
+  RefreshTokenResponseDto
 } from '../dto/login_response.dto';
 import { Throttle, ThrottlePresets } from '../../../core/security_core/decorators/throttle.decorator';
 import { Timeout, TimeoutPresets } from '../../../core/security_core/decorators/timeout.decorator';
@@ -609,4 +611,107 @@ export class LoginController {
      message: '限流记录已清除'
    });
  }
+
+  /**
+   * 刷新访问令牌
+   * 
+   * 功能描述：
+   * 使用有效的刷新令牌生成新的访问令牌，实现无感知的令牌续期
+   * 
+   * 业务逻辑：
+   * 1. 验证刷新令牌的有效性和格式
+   * 2. 检查用户状态是否正常
+   * 3. 生成新的JWT令牌对
+   * 4. 返回新的访问令牌和刷新令牌
+   * 
+   * @param refreshTokenDto 刷新令牌数据
+   * @param res Express响应对象
+   * @returns 新的令牌对
+   */
+  @ApiOperation({ 
+    summary: '刷新访问令牌', 
+    description: '使用有效的刷新令牌生成新的访问令牌，实现无感知的令牌续期。建议在访问令牌即将过期时调用此接口。' 
+  })
+  @ApiBody({ type: RefreshTokenDto })
+  @SwaggerApiResponse({ 
+    status: 200, 
+    description: '令牌刷新成功', 
+    type: RefreshTokenResponseDto 
+  })
+  @SwaggerApiResponse({ 
+    status: 400, 
+    description: '请求参数错误' 
+  })
+  @SwaggerApiResponse({ 
+    status: 401, 
+    description: '刷新令牌无效或已过期' 
+  })
+  @SwaggerApiResponse({ 
+    status: 404, 
+    description: '用户不存在或已被禁用' 
+  })
+  @SwaggerApiResponse({ 
+    status: 429, 
+    description: '刷新请求过于频繁' 
+  })
+  @Throttle(ThrottlePresets.REFRESH_TOKEN)
+  @Timeout(TimeoutPresets.NORMAL)
+  @Post('refresh-token')
+  @UsePipes(new ValidationPipe({ transform: true }))
+  async refreshToken(@Body() refreshTokenDto: RefreshTokenDto, @Res() res: Response): Promise<void> {
+    const startTime = Date.now();
+    
+    try {
+      this.logger.log('令牌刷新请求', {
+        operation: 'refreshToken',
+        timestamp: new Date().toISOString(),
+      });
+
+      const result = await this.loginService.refreshAccessToken(refreshTokenDto.refresh_token);
+
+      const duration = Date.now() - startTime;
+
+      if (result.success) {
+        this.logger.log('令牌刷新成功', {
+          operation: 'refreshToken',
+          duration,
+          timestamp: new Date().toISOString(),
+        });
+        res.status(HttpStatus.OK).json(result);
+      } else {
+        this.logger.warn('令牌刷新失败', {
+          operation: 'refreshToken',
+          error: result.message,
+          errorCode: result.error_code,
+          duration,
+          timestamp: new Date().toISOString(),
+        });
+
+        // 根据错误类型设置不同的状态码
+        if (result.message?.includes('令牌验证失败') || result.message?.includes('已过期')) {
+          res.status(HttpStatus.UNAUTHORIZED).json(result);
+        } else if (result.message?.includes('用户不存在')) {
+          res.status(HttpStatus.NOT_FOUND).json(result);
+        } else {
+          res.status(HttpStatus.BAD_REQUEST).json(result);
+        }
+      }
+    } catch (error) {
+      const duration = Date.now() - startTime;
+      const err = error as Error;
+      
+      this.logger.error('令牌刷新异常', {
+        operation: 'refreshToken',
+        error: err.message,
+        duration,
+        timestamp: new Date().toISOString(),
+      }, err.stack);
+
+      res.status(HttpStatus.INTERNAL_SERVER_ERROR).json({
+        success: false,
+        message: '服务器内部错误',
+        error_code: 'INTERNAL_SERVER_ERROR'
+      });
+    }
+  }
 }