Roblox OAuth refresh token

Author: maefall

src/oauth/routes/mod.rs

@@ -48,6 +48,7 @@ pub(crate) fn routes() -> Vec<rocket::Route> {
         discord::discord_refresh_token,
         roblox::roblox_oauth_initiate,
         roblox::roblox_oauth_callback,
+        roblox::roblox_refresh_token,
         refresh_session,
     ]
 }

src/oauth/routes/roblox.rs

@@ -1,23 +1,37 @@
-use crate::config::Config;
-use crate::constants;
-use crate::database::wrappers::account_links::models::NewAccountLink;
-use crate::database::wrappers::account_links::AccountLinksDb;
-use crate::database::wrappers::roblox_connections::models::NewRobloxConnection;
-use crate::database::wrappers::roblox_connections::RobloxConnectionsDb;
-use crate::database::wrappers::sessions::models::Session;
-use crate::oauth::types::roblox::{RobloxOAuthScopeSet, RobloxOAuthScopes};
-use crate::oauth::types::OAuthCallback;
-use crate::oauth::utils::generate_state;
-use crate::oauth::utils::pixy::Pixy;
-use crate::oauth::utils::roblox::{construct_roblox_oauth_url, exchange_code, get_authorized_user};
-use crate::response::{ApiError, ApiResult};
-use crate::utils::construct_api_route;
-use crate::DbConn;
+use crate::{
+    config::Config,
+    constants,
+    database::wrappers::{
+        account_links::{models::NewAccountLink, AccountLinksDb},
+        roblox_connections::{models::NewRobloxConnection, RobloxConnectionsDb},
+        sessions::models::Session,
+    },
+    oauth::{
+        types::{
+            roblox::{RobloxOAuthScopeSet, RobloxOAuthScopes},
+            OAuthCallback,
+        },
+        utils::{
+            generate_state,
+            pixy::Pixy,
+            roblox::{
+                construct_roblox_oauth_url, exchange_code, find_account_link, get_authorized_user,
+                get_roblox_refresh_token_by_roblox_uid,
+                update_roblox_connection_with_refresh_token,
+            },
+        },
+    },
+    response::{ApiError, ApiResponse, ApiResult},
+    utils::construct_api_route,
+    DbConn,
+};
 use diesel::Connection;
-use rocket::http::{Cookie, CookieJar, SameSite, Status};
-use rocket::response::Redirect;
-use rocket::time::Duration;
-use rocket::State;
+use rocket::{
+    http::{Cookie, CookieJar, SameSite, Status},
+    response::Redirect,
+    time::Duration,
+    State,
+};
 
 /// Handles the Roblox OAuth callback by verifying the state and code verifier,
 /// and exchanging the code for a token.
@@ -144,3 +158,42 @@ pub(super) async fn roblox_oauth_initiate(
 
     Ok(Redirect::to(redirect_uri))
 }
+
+/// If the given roblox_uid belongs to the authenticated user,
+/// refreshes the access token of that roblox_uid
+///
+/// # Possible Responses
+///
+/// - `204 No Content` everything's successful
+/// - `400 Bad Request` roblox_uid isn't provided.
+/// - `401 Unauthorized`
+///   - The session cookie is missing.
+///   - The session is not found in the database.
+/// - `404 Not Found`
+///   - Account link.
+///   - Roblox connection.
+/// - `500 Internal Server Error`
+///   - Failed to encrypt the access token and/or refresh token.
+///   - Failed to update the Roblox connection.
+///   - Failed to parse the response from the Roblox token refresh endpoint
+#[post("/roblox/refresh-token?<roblox_uid>")]
+pub(super) async fn roblox_refresh_token(
+    roblox_uid: String,
+    conn: DbConn,
+    session: Session,
+    cfg: &State<Config>,
+) -> ApiResult {
+    let account_link = find_account_link(&conn, session.discord_uid, roblox_uid).await?;
+    let refresh_token =
+        get_roblox_refresh_token_by_roblox_uid(&conn, &account_link.roblox_uid).await?;
+
+    update_roblox_connection_with_refresh_token(
+        &conn,
+        &account_link.roblox_uid,
+        &refresh_token,
+        cfg,
+    )
+    .await?;
+
+    Ok(ApiResponse::status(Status::NoContent))
+}

src/oauth/types/roblox.rs

@@ -51,7 +51,7 @@ pub(crate) enum RobloxOAuthScope {
     UserUserNotificationWrite,
 }
 
-/// The request body for the Roblox OAuth token endpoint.
+/// The request body for obtaining Roblox OAuth access token with code & code_verifier.
 #[derive(Serialize)]
 #[serde(crate = "rocket::serde")]
 pub(crate) struct RobloxAuthorizedCodeRequestBody<'a> {
@@ -68,6 +68,21 @@ pub(crate) struct RobloxAuthorizedCodeRequestBody<'a> {
     client_secret: String,
 }
 
+/// The request body for obtaining Roblox OAuth access token with a refresh token.
+#[derive(Serialize)]
+#[serde(crate = "rocket::serde")]
+pub(crate) struct RobloxTokenRefreshRequestBody<'a> {
+    /// The refresh token received from the token exchange endpoint.
+    refresh_token: &'a str,
+    /// The grant type for the OAuth2 request.
+    grant_type: &'a str,
+    /// The client ID for the OAuth2 application.
+    client_id: &'a str,
+    /// The client secret for the OAuth2 application.
+    /// Must be an owned string as it is retrieved from the environment
+    client_secret: String,
+}
+
 /// The response body for the Roblox OAuth token endpoint.
 #[derive(Deserialize)]
 #[serde(crate = "rocket::serde")]
@@ -204,6 +219,29 @@ impl<'a> RobloxAuthorizedCodeRequestBody<'a> {
     }
 }
 
+impl<'a> RobloxTokenRefreshRequestBody<'a> {
+    /// Creates a new [`RobloxTokenRefreshRequestBody`] with the given refresh_token, grant_type and configuration.
+    pub(crate) fn new(refresh_token: &'a str, cfg: &'a Config) -> Self {
+        Self {
+            refresh_token,
+            grant_type: "refresh_token",
+            client_id: &cfg.oauth.roblox.client_id,
+            client_secret: std::env::var(constants::env::ROBLOX_CLIENT_SECRET)
+                .unwrap_or_else(|_| panic!("{} must be set", constants::env::ROBLOX_CLIENT_SECRET)),
+        }
+    }
+
+    /// Converts the request body to a query parameter string.
+    pub(crate) fn as_query_params(&self) -> String {
+        url!([
+            ("refresh_token", self.refresh_token),
+            ("grant_type", self.grant_type),
+            ("client_id", self.client_id),
+            ("client_secret", self.client_secret)
+        ])
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::{RobloxOAuthScope, RobloxOAuthScopeSet, RobloxOAuthScopes};

src/oauth/utils/roblox.rs

@@ -1,12 +1,22 @@
-use crate::config::Config;
-use crate::constants;
-use crate::oauth::types::roblox::{
-    RobloxAccessTokenResponse, RobloxAuthorizedCodeRequestBody, RobloxOAuthScopes,
-    RobloxUserInfoResponse,
+use crate::{
+    cipher::{decrypt, EncryptedData},
+    config::Config,
+    constants,
+    database::wrappers::{
+        account_links::{
+            models::AccountLink, AccountLinkUserId, AccountLinksDb, DiscordMarker, RobloxMarker,
+        },
+        roblox_connections::{models::NewRobloxConnection, RobloxConnectionsDb},
+    },
+    oauth::types::roblox::{
+        RobloxAccessTokenResponse, RobloxAuthorizedCodeRequestBody, RobloxOAuthScopes,
+        RobloxTokenRefreshRequestBody, RobloxUserInfoResponse,
+    },
+    response::ApiError,
+    url, DbConn,
 };
-use crate::response::ApiError;
-use crate::url;
 use rocket::http::Status;
+use std::sync::Arc;
 
 /// Constructs the Roblox OAuth URL with the given scopes and state.
 /// The scopes are joined by an encoded space (`%20`).
@@ -97,3 +107,159 @@ pub(crate) fn get_authorized_user(access_token: &str) -> Result<RobloxUserInfoRe
             )
         })
 }
+
+/// Exchanges the refresh token for an access token.
+///
+/// # Arguments
+///
+/// * `refresh_token` - The refresh token to exchange for an access token.
+/// * `cfg` - The application configuration.
+///
+/// # Returns
+///
+/// The [`RobloxAccessTokenResponse`] struct if the token refresh was successful, an [`ApiError`] otherwise.
+pub(crate) fn refresh_access_token(
+    refresh_token: &str,
+    cfg: &Config,
+) -> Result<RobloxAccessTokenResponse, ApiError> {
+    let body = RobloxTokenRefreshRequestBody::new(refresh_token, cfg);
+    let response = minreq::post(constants::roblox_api::TOKEN_URL)
+        .with_header("Content-Type", "application/x-www-form-urlencoded")
+        .with_body(body.as_query_params())
+        .send()
+        .map_err(|_| ApiError::message(Status::BadGateway, "Failed to refresh access token"))?;
+
+    response.json::<RobloxAccessTokenResponse>().map_err(|_| {
+        ApiError::message(
+            Status::InternalServerError,
+            "Failed to parse token response",
+        )
+    })
+}
+
+/// Finds an account link by discord uid & roblox uid
+///
+/// # Arguments
+///
+/// * `db_conn`
+/// * `discord_uid`
+/// * `roblox_uid`
+///
+/// # Returns
+///
+/// [`AccountLink`] if the account link was found, an [`ApiError`] otherwise.
+pub(crate) async fn find_account_link(
+    db_conn: &DbConn,
+    discord_uid: String,
+    roblox_uid: String,
+) -> Result<AccountLink, ApiError> {
+    db_conn
+        .run(|conn| {
+            let discord_marker = AccountLinkUserId::<DiscordMarker>::new(discord_uid);
+            let roblox_marker = AccountLinkUserId::<RobloxMarker>::new(roblox_uid);
+
+            AccountLinksDb::find_one((discord_marker, roblox_marker), conn)
+        })
+        .await
+        .ok_or_else(|| {
+            ApiError::message(
+                Status::NotFound,
+                "Roblox account link with the given discord_uid & roblox_uid not found",
+            )
+        })
+}
+
+/// Finds & decrypts the refresh token belonging to the given roblox uid
+///
+/// # Arguments
+///
+/// * `db_conn`
+/// * `roblox_uid`
+///
+/// # Returns
+///
+/// [`String`] if the refresh token was found, an [`ApiError`] otherwise.
+pub(crate) async fn get_roblox_refresh_token_by_roblox_uid(
+    db_conn: &DbConn,
+    roblox_uid: &str,
+) -> Result<String, ApiError> {
+    let roblox_uid = Arc::<str>::from(roblox_uid);
+
+    db_conn
+        .run(move |conn| {
+            let Some(roblox_connection) = RobloxConnectionsDb::find_one(&roblox_uid, conn) else {
+                return Err(ApiError::message(
+                    Status::NotFound,
+                    "Roblox connection with the given uid not found",
+                ));
+            };
+
+            let decrypted_refresh_token = decrypt(&EncryptedData {
+                data: roblox_connection.refresh_token,
+                nonce: roblox_connection.refresh_token_nonce,
+            })
+            .map_err(|_| {
+                ApiError::message(
+                    Status::InternalServerError,
+                    "Failed to decrypt the Roblox refresh token",
+                )
+            });
+
+            Ok(decrypted_refresh_token)
+        })
+        .await?
+}
+
+/// Refreshes the access token belonging to the given roblox uid
+/// with the given refresh token
+///
+/// # Arguments
+///
+/// * `db_conn`
+/// * `roblox_uid`
+/// * `refresh_token`
+/// * `cfg` - Application config
+///
+/// # Returns
+///
+/// [`()`] if everything was successful, an [`ApiError`] otherwise.
+pub(crate) async fn update_roblox_connection_with_refresh_token(
+    db_conn: &DbConn,
+    roblox_uid: &str,
+    refresh_token: &str,
+    cfg: &Config,
+) -> Result<(), ApiError> {
+    let new_token_info = refresh_access_token(refresh_token, cfg)?;
+    let new_token_expires_at =
+        chrono::Utc::now().naive_utc() + chrono::Duration::seconds(new_token_info.expires_in);
+
+    let update_connection = NewRobloxConnection::build()
+        .refresh_token(new_token_info.refresh_token)
+        .access_token(new_token_info.access_token)
+        .expires_at(new_token_expires_at)
+        .build_update()
+        .map_err(|_| {
+            ApiError::message(
+                Status::InternalServerError,
+                "Failed to encrypt access token and/or refresh token",
+            )
+        })?;
+
+    let roblox_uid = Arc::<str>::from(roblox_uid);
+
+    db_conn
+        .run(move |conn| {
+            RobloxConnectionsDb::update_one(&roblox_uid, update_connection, conn)?;
+
+            diesel::result::QueryResult::Ok(())
+        })
+        .await
+        .map_err(|_| {
+            ApiError::message(
+                Status::InternalServerError,
+                "Failed to update the Roblox connection due to an error",
+            )
+        })?;
+
+    Ok(())
+}