Fix/22 mark current session correctly

cmd/oauth-test-client/main.go

@@ -11,9 +11,9 @@ import (
 // Configuration
 // In a real app, these would come from environment variables
 const (
-	AuthServerURL = "https://auth-server-4nmm.onrender.com"            // Replace with your Render URL
-	ClientID      = "your-client-id-here"                              // You'll get this after registering the client
-	ClientSecret  = "your-client-secret-here"                          // You'll get this after registering the client
+	AuthServerURL = "https://auth-server-4nmm.onrender.com" // Replace with your Render URL
+	ClientID      = "your-client-id-here"                   // You'll get this after registering the client
+	ClientSecret  = "your-client-secret-here"               // You'll get this after registering the client
 	RedirectURI   = "http://localhost:3000/callback"
 	AppPort       = ":3000"
 )

internal/config/redis.go

@@ -9,7 +9,6 @@ import (
 
 func InitRedis(cfg *Config) *redis.Client {
 	ctx := context.Background() // Local context variable
-
 	opt, err := redis.ParseURL(cfg.Redis.URL)
 	if err != nil {
 		log.Fatal("Failed to parse Redis URL:", err)

internal/handler/auth_handler.go

@@ -449,6 +449,9 @@ func (h *AuthHandler) GetSessions(c *gin.Context) {
 		return
 	}
 
+	currentSessionID, _ := c.Get("sessionID")
+	currentID, _ := currentSessionID.(string)
+
 	// Convert to response format
 	sessionResponses := make([]dto.SessionResponse, len(sessions))
 	for i, session := range sessions {
@@ -458,7 +461,7 @@ func (h *AuthHandler) GetSessions(c *gin.Context) {
 			UserAgent: session.UserAgent,
 			CreatedAt: session.CreatedAt.Format("2006-01-02 15:04:05"),
 			ExpiresAt: session.ExpiresAt.Format("2006-01-02 15:04:05"),
-			IsCurrent: false, // TODO: Determine if this is the current session
+			IsCurrent: session.ID == currentID, 
 		}
 	}
 

internal/handler/auth_handler_protected_test.go

@@ -39,7 +39,11 @@ func TestAuthHandler_GetMe(t *testing.T) {
 	}
 
 	// Generate Token
-	token, _ := tokenService.GenerateAccessToken(user)
+	token, err := tokenService.GenerateAccessToken(user, "test-session-id")
+	assert.NoError(t, err)
+	if err != nil {
+		t.FailNow()
+	}
 
 	req, _ := http.NewRequest(http.MethodGet, "/api/auth/me", nil)
 	req.Header.Set("Authorization", "Bearer "+token)

internal/handler/auth_handler_test.go

@@ -8,8 +8,11 @@ import (
 	"testing"
 
 	"github.com/gin-gonic/gin"
+	"github.com/roshankumar0036singh/auth-server/internal/config"
 	"github.com/roshankumar0036singh/auth-server/internal/dto"
 	"github.com/roshankumar0036singh/auth-server/internal/handler"
+	"github.com/roshankumar0036singh/auth-server/internal/middleware"
+	"github.com/roshankumar0036singh/auth-server/internal/service"
 	"github.com/roshankumar0036singh/auth-server/internal/testutils"
 	"github.com/stretchr/testify/assert"
 )
@@ -94,3 +97,160 @@ func TestAuthHandler_Login(t *testing.T) {
 }
 
 // TODO: Add tests for Protected Routes using middleware
+
+func TestAuthHandler_GetSessions_CurrentSessionFlag(t *testing.T) {
+	authService, _, mr := testutils.SetupIntegrationTest(t)
+	defer mr.Close()
+
+	authHandler := handler.NewAuthHandler(authService, nil)
+
+	cfg := &config.Config{
+		JWT: config.JWTConfig{
+			AccessSecret:  "secret",
+			RefreshSecret: "refresh-secret",
+		},
+	}
+	tokenService := service.NewTokenService(cfg)
+
+	gin.SetMode(gin.TestMode)
+	r := gin.New()
+	r.Use(middleware.AuthMiddleware(tokenService))
+
+	r.GET("/api/auth/sessions", authHandler.GetSessions)
+
+	// Create user
+	regReq := &dto.RegisterRequest{
+		Email:     "sessions@example.com",
+		Password:  "Password123!",
+		FirstName: "Session",
+		LastName:  "Test",
+	}
+
+	_, err := authService.Register(regReq)
+	assert.NoError(t, err)
+
+	// Create a session via login
+	loginResp, err := authService.Login(
+		&dto.LoginRequest{
+			Email:    "sessions@example.com",
+			Password: "Password123!",
+		},
+		"127.0.0.1",
+		"test-agent",
+	)
+
+	assert.NoError(t, err)
+
+	claims, err := tokenService.ValidateAccessToken(loginResp.AccessToken)
+	assert.NoError(t, err)
+
+	expectedSessionID := claims.SessionID
+
+	// Call sessions endpoint using the access token
+	req, _ := http.NewRequest(
+		http.MethodGet,
+		"/api/auth/sessions",
+		nil,
+	)
+
+	req.Header.Set(
+		"Authorization",
+		"Bearer "+loginResp.AccessToken,
+	)
+
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	var resp map[string]interface{}
+	err = json.Unmarshal(w.Body.Bytes(), &resp)
+	assert.NoError(t, err)
+
+	data := resp["data"].([]interface{})
+
+	foundExpectedSession := false
+
+	for _, item := range data {
+		session := item.(map[string]interface{})
+
+		sessionID := session["id"].(string)
+		isCurrent := session["isCurrent"].(bool)
+
+		if sessionID == expectedSessionID {
+			assert.True(t, isCurrent, "expected session used by request token to be current")
+			foundExpectedSession = true
+		}
+	}
+
+	assert.True(t, foundExpectedSession, "expected session ID not found in response")
+
+}
+
+func TestAuthHandler_GetSessions_NoSessionIDInContext(t *testing.T) {
+	authService, _, mr := testutils.SetupIntegrationTest(t)
+	defer mr.Close()
+
+	authHandler := handler.NewAuthHandler(authService, nil)
+
+	gin.SetMode(gin.TestMode)
+	r := gin.New()
+
+	// Register user
+	regReq := &dto.RegisterRequest{
+		Email:     "nosession@example.com",
+		Password:  "Password123!",
+		FirstName: "No",
+		LastName:  "Session",
+	}
+
+	user, err := authService.Register(regReq)
+	assert.NoError(t, err)
+
+	userID := user.ID
+
+	// Intentionally set only userID, not sessionID
+	r.GET("/api/auth/sessions", func(c *gin.Context) {
+		c.Set("userID", userID)
+		authHandler.GetSessions(c)
+	})
+
+	// Create a session
+	_, err = authService.Login(
+		&dto.LoginRequest{
+			Email:    regReq.Email,
+			Password: regReq.Password,
+		},
+		"127.0.0.1",
+		"test-agent",
+	)
+	assert.NoError(t, err)
+
+	req, _ := http.NewRequest(
+		http.MethodGet,
+		"/api/auth/sessions",
+		nil,
+	)
+
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	var resp map[string]interface{}
+	err = json.Unmarshal(w.Body.Bytes(), &resp)
+	assert.NoError(t, err)
+
+	data := resp["data"].([]interface{})
+	assert.NotEmpty(t, data, "expected at least one session after login")
+
+	for _, item := range data {
+		session := item.(map[string]interface{})
+
+		assert.False(
+			t,
+			session["isCurrent"].(bool),
+			"expected no session to be marked current when sessionID is missing",
+		)
+	}
+}

internal/middleware/auth.go

@@ -72,4 +72,5 @@ func setContextUser(c *gin.Context, claims *service.JWTClaims) {
 	c.Set("userID", claims.UserID)
 	c.Set("email", claims.Email)
 	c.Set("role", claims.Role)
+	c.Set("sessionID", claims.SessionID)
 }

internal/repository/token_repository.go

@@ -23,10 +23,12 @@ func (r *TokenRepository) CreateRefreshToken(token *models.RefreshToken) error {
 	return r.db.Create(token).Error
 }
 
+const tokenQuery = "token = ?"
+
 // FindRefreshToken finds a refresh token by token string
 func (r *TokenRepository) FindRefreshToken(tokenString string) (*models.RefreshToken, error) {
 	var token models.RefreshToken
-	if err := r.db.Where("token = ?", tokenString).First(&token).Error; err != nil {
+	if err := r.db.Where(tokenQuery, tokenString).First(&token).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil, ErrRefreshTokenNotFound
 		}
@@ -61,7 +63,7 @@ func (r *TokenRepository) FindUserRefreshTokens(userID string) ([]models.Refresh
 // RevokeRefreshToken marks a refresh token as revoked
 func (r *TokenRepository) RevokeRefreshToken(tokenString string) error {
 	result := r.db.Model(&models.RefreshToken{}).
-		Where("token = ?", tokenString).
+		Where(tokenQuery, tokenString).
 		Update("is_revoked", true)
 
 	if result.Error != nil {
@@ -126,3 +128,25 @@ func (r *TokenRepository) CountUserActiveSessions(userID string) (int64, error)
 		Count(&count).Error
 	return count, err
 }
+
+func (r *TokenRepository) RotateRefreshToken(oldToken string, newToken *models.RefreshToken) error {
+	return r.db.Transaction(func(tx *gorm.DB) error {
+		result := tx.Model(&models.RefreshToken{}).
+			Where("token = ? AND is_revoked = ?", oldToken, false).
+			Update("is_revoked", true)
+
+		if result.Error != nil {
+			return result.Error
+		}
+
+		if result.RowsAffected == 0 {
+			return ErrRefreshTokenNotFound
+		}
+
+		if err := tx.Create(newToken).Error; err != nil {
+			return err
+		}
+
+		return nil
+	})
+}