From 3b37a8d189986fd42875521feceba5fcf24d3233 Mon Sep 17 00:00:00 2001
From: Kenneth <kenneth@nym.sh>
Date: Mon, 15 Dec 2025 00:38:23 +0000
Subject: [PATCH] fix: auto refresh if access token not in cookies

---
 apps/backend/internal/auth/middleware.go | 26 ++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/apps/backend/internal/auth/middleware.go b/apps/backend/internal/auth/middleware.go
index 237118f..b9088a7 100644
--- a/apps/backend/internal/auth/middleware.go
+++ b/apps/backend/internal/auth/middleware.go
@@ -36,11 +36,33 @@ func NewAuthMiddleware(s *Service, db *bun.DB, cookieConfig CookieConfig) fiber.
 			setCookies = true
 		}
 
-		if at == "" {
-			slog.Info("no access token")
+		if at == "" && rt == "" {
+			slog.Info("no access token or refresh token")
 			return c.SendStatus(fiber.StatusUnauthorized)
 		}
 
+		if at == "" {
+			// if there is no access token, attempt to get new access token using the refresh token.
+			tx, err := db.BeginTx(c.Context(), nil)
+			if err != nil {
+				return c.SendStatus(fiber.StatusUnauthorized)
+			}
+			defer tx.Rollback()
+
+			newTokens, err := s.RefreshAccessToken(c.Context(), tx, rt)
+			if err != nil {
+				return c.SendStatus(fiber.StatusUnauthorized)
+			}
+
+			if err := tx.Commit(); err != nil {
+				return c.SendStatus(fiber.StatusUnauthorized)
+			}
+
+			setAuthCookies(c, newTokens.AccessToken, newTokens.RefreshToken, cookieConfig)
+			at = newTokens.AccessToken
+			rt = newTokens.RefreshToken
+		}
+
 		authResult, err := s.AuthenticateWithAccessToken(c.Context(), db, at)
 		if err != nil {
 			var e *InvalidAccessTokenError