final changes

SerpentRace_Backend/src/Application/User/commands/LoginCommandHandler.ts

@@ -12,6 +12,7 @@ import { Response } from 'express';
 export interface LoginResponse {
   user: ShortUserDto;
   token: string;
+  refreshToken: string;
   requiresOrgReauth?: boolean;
   orgLoginUrl?: string;
   organizationName?: string;
@@ -111,7 +112,23 @@ export class LoginCommandHandler {
       try {
         // Use the real response object if provided, otherwise use mock
         const responseObj = res || mockRes;
-        const token = this.jwtService.create(tokenPayload, responseObj);
+        
+        // Check if client prefers Bearer token authentication
+        const prefersBearerAuth = res && (
+          res.req?.headers['authorization'] !== undefined ||
+          res.req?.headers['x-auth-method'] === 'bearer' ||
+          res.req?.headers['accept']?.includes('application/json')
+        );
+        
+        let tokenPair: any;
+        
+        if (prefersBearerAuth && res) {
+          // Create token pair for Bearer authentication (no cookies)
+          tokenPair = this.jwtService.createTokenPair(tokenPayload);
+        } else {
+          // Cookie-based authentication (sets cookies automatically)
+          tokenPair = this.jwtService.create(tokenPayload, responseObj);
+        }
         
         // Check if user belongs to an organization and needs reauthentication
         let requiresOrgReauth = false;
@@ -154,7 +171,8 @@ export class LoginCommandHandler {
         
         const response: LoginResponse = {
           user: UserMapper.toShortDto(user),
-          token
+          token: tokenPair.accessToken,
+          refreshToken: tokenPair.refreshToken
         };
 
         if (requiresOrgReauth) {

SerpentRace_Backend/src/Application/User/commands/LogoutCommandHandler.ts

@@ -17,45 +17,63 @@ export class LogoutCommandHandler {
     try {
       logAuth('Logout process started', userId);
 
-      // 1. Get token from request to blacklist it
-      let tokenToBlacklist: string | null = null;
+      // 1. Get tokens from request to blacklist them
+      let accessTokenToBlacklist: string | null = null;
+      let refreshTokenToBlacklist: string | null = null;
+      
       if (req) {
-        // Extract token from cookie
-        tokenToBlacklist = req.cookies['auth_token'];
-        
-        // Also check Authorization header as fallback
-        if (!tokenToBlacklist && req.headers.authorization) {
+        // Extract access token from cookie or Authorization header
+        accessTokenToBlacklist = req.cookies['auth_token'];
+        if (!accessTokenToBlacklist && req.headers.authorization) {
           const authHeader = req.headers.authorization;
           if (authHeader.startsWith('Bearer ')) {
-            tokenToBlacklist = authHeader.substring(7);
+            accessTokenToBlacklist = authHeader.substring(7);
           }
         }
+
+        // Extract refresh token from cookie or header
+        refreshTokenToBlacklist = req.cookies['refresh_token'];
+        if (!refreshTokenToBlacklist) {
+          refreshTokenToBlacklist = req.headers['x-refresh-token'] as string;
+        }
       }
 
-      // 2. Blacklist the current JWT token in Redis (if available)
-      if (tokenToBlacklist && req) {
+      // 2. Blacklist both access and refresh tokens in Redis
+      if (accessTokenToBlacklist && req) {
         try {
-          // Store token in blacklist with expiration matching token expiry
           const decoded = this.jwtService.verify(req);
           if (decoded && decoded.exp) {
             const ttl = decoded.exp - Math.floor(Date.now() / 1000);
             if (ttl > 0) {
-              await this.redisService.setWithExpiry(`blacklist:${tokenToBlacklist}`, 'true', ttl);
-              logAuth('JWT token blacklisted', userId, { tokenExpiry: ttl });
+              await this.redisService.setWithExpiry(`blacklist:${accessTokenToBlacklist}`, 'true', ttl);
+              logAuth('Access token blacklisted', userId, { tokenExpiry: ttl });
             }
           }
         } catch (error) {
-          logWarning('Failed to blacklist token', { userId, error: (error as Error).message });
+          logWarning('Failed to blacklist access token', { userId, error: (error as Error).message });
         }
       }
 
-      // 3. Clear authentication cookie
-      res.clearCookie('auth_token', {
-        httpOnly: true,
-        secure: process.env.NODE_ENV === 'production',
-        sameSite: 'strict',
-        path: '/'
-      });
+      // Blacklist refresh token if present
+      if (refreshTokenToBlacklist) {
+        try {
+          const refreshDecoded = this.jwtService.verifyRefreshToken(refreshTokenToBlacklist);
+          if (refreshDecoded && refreshDecoded.exp) {
+            const ttl = refreshDecoded.exp - Math.floor(Date.now() / 1000);
+            if (ttl > 0) {
+              await this.redisService.setWithExpiry(`blacklist:${refreshTokenToBlacklist}`, 'true', ttl);
+              logAuth('Refresh token blacklisted', userId, { tokenExpiry: ttl });
+            }
+          }
+        } catch (error) {
+          logWarning('Failed to blacklist refresh token', { userId, error: (error as Error).message });
+        }
+      }
+
+      // 3. Use JWT service to clear cookies and set logout headers
+      if (req) {
+        this.jwtService.logout(req, res);
+      }
 
       // 4. Remove user from active sessions in Redis
       try {