Skip to content

feat(auth): implement JWT refresh token rotation with Redis blocklist and HttpOnly cookies#142

Open
AlphaTechini wants to merge 1 commit into
Pidoko257:mainfrom
AlphaTechini:main
Open

feat(auth): implement JWT refresh token rotation with Redis blocklist and HttpOnly cookies#142
AlphaTechini wants to merge 1 commit into
Pidoko257:mainfrom
AlphaTechini:main

Conversation

@AlphaTechini

Copy link
Copy Markdown

Closes #3

  • Access tokens expire after 15 minutes (ACCESS_TOKEN_EXPIRES_IN); refresh tokens after 7 days

  • Refresh token set as HttpOnly, Secure, SameSite=Strict cookie on /api/auth path

  • POST /api/auth/refresh reads token from cookie, blocklists old token in Redis, issues rotated pair

  • POST /api/auth/logout blocklists token and clears cookie

  • Redis blocklist check (refresh_blocklist:*) for fast reuse detection; family revoked on detection

  • verifyRefreshToken now checks Redis before PostgreSQL; returns { decoded, dbRow }

  • Added revokeByToken to RefreshTokenFamilyModel for per-token DB invalidation

  • SSO login also sets refresh token cookie for consistency

  • Added TOKEN_REUSE_DETECTED error code (HTTP 401)

Description

Brief description of changes.

Related Issue

Fixes #(issue number)

Type of Change

  • Bug fix
  • New feature
  • Documentation update
  • Code refactoring
  • Performance improvement

Changes Made

Testing

How did you test these changes?

Checklist

  • Code follows project style
  • Self-reviewed my code
  • Commented complex code
  • Updated documentation
  • No new warnings
  • Added tests (if applicable)

Screenshots (if applicable)

Additional Notes

… and HttpOnly cookies

- Access tokens expire after 15 minutes (ACCESS_TOKEN_EXPIRES_IN); refresh tokens after 7 days

- Refresh token set as HttpOnly, Secure, SameSite=Strict cookie on /api/auth path

- POST /api/auth/refresh reads token from cookie, blocklists old token in Redis, issues rotated pair

- POST /api/auth/logout blocklists token and clears cookie

- Redis blocklist check (refresh_blocklist:*) for fast reuse detection; family revoked on detection

- verifyRefreshToken now checks Redis before PostgreSQL; returns { decoded, dbRow }

- Added revokeByToken to RefreshTokenFamilyModel for per-token DB invalidation

- SSO login also sets refresh token cookie for consistency

- Added TOKEN_REUSE_DETECTED error code (HTTP 401)
@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@AlphaTechini Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement JWT Refresh Token Rotation

1 participant