feat: add refresh token flow for long-lived sessions

- Add RefreshToken model with rotation
- Add POST /auth/refresh endpoint
- Add POST /auth/logout that revokes refresh token
- Login returns JWT (8h) + refresh_token (30 days)
- Refresh rotates token (old is revoked)
- Fix Carbon\Carbon::now() calls instead of now() helper
- Update API docs
This commit is contained in:
Hermes Agent
2026-05-20 17:57:18 +02:00
parent af2b179a49
commit f68400e282
6 changed files with 170 additions and 26 deletions

View File

@@ -15,8 +15,9 @@ Authorization: Bearer <token>
### Auth
| Method | Path | Description |
|--------|------|-------------|
| POST | `/auth/login` | Login with email/password, returns JWT |
| POST | `/auth/logout` | Logout (client-side token discard) |
| POST | `/auth/login` | Login with email/password, returns JWT + refresh_token |
| POST | `/auth/refresh` | Exchange refresh_token for new JWT + refresh_token |
| POST | `/auth/logout` | Revoke refresh token (logout) |
| GET | `/auth/me` | Current user info (requires auth) |
### Bootstrap