This document outlines the migration path for existing active sessions after the implementation of Refresh Token Rotation (Issue #508).
The previous JWT implementation lacked refresh token rotation and did not issue refresh tokens with a unique jti (JWT ID). This increased the risk of token compromise. The new implementation requires all refresh tokens to have a jti and automatically rotates them upon each refresh request, maintaining a Redis-backed blacklist of revoked tokens.
Since legacy tokens lack a jti or were not stored as bcrypt hashes in the user's refreshToken column, existing user sessions cannot be automatically upgraded seamlessly without compromising the new security constraints.
To ensure security, the following migration strategy is enforced:
- Invalidate Legacy Sessions: All previous refresh tokens that lack a valid
jtior do not match the new bcrypt hash stored in the database will automatically be rejected by the newAuthService.refreshTokensflow. - Force Re-authentication: Users attempting to refresh their tokens using a legacy refresh token will receive a
401 Unauthorizedresponse. - Client-Side Handling: Frontend and mobile clients should be updated to handle the
401 Unauthorizedon the/auth/refreshendpoint by redirecting the user to the login screen. - New Sessions: Once the user logs in again via
/auth/login, they will be issued a new, compliant refresh token pair with ajtiand the token hash will be securely stored.
- All currently logged-in users will be required to log in again once their short-lived access tokens expire.
- No database migration scripts are necessary for the
userstable since therefreshTokencolumn will simply be overwritten with the new hashed tokens upon their next login.
This "hard" migration ensures that any potentially compromised legacy tokens are immediately rendered useless, fulfilling the security enhancements required by the ticket.