Skip to content

Strengthen security of token refresh flow#173

Merged
chriscarrollsmith merged 2 commits into
mainfrom
81-strengthen-security-of-token-refresh-flow
Mar 14, 2026
Merged

Strengthen security of token refresh flow#173
chriscarrollsmith merged 2 commits into
mainfrom
81-strengthen-security-of-token-refresh-flow

Conversation

@chriscarrollsmith

Copy link
Copy Markdown
Contributor

Summary

  • Add RefreshToken model with JTI tracking in the private schema for server-side refresh token validation
  • Implement token rotation: each refresh token use revokes the old token and issues a new one
  • Add reuse detection: replaying a revoked token revokes ALL tokens for that account (signals theft)
  • Logout now revokes the refresh token server-side, not just deleting the cookie
  • Email update flow revokes all old refresh tokens before issuing new ones
  • Legacy tokens without JTI (pre-migration) are gracefully rejected, forcing re-login
  • Fix misleading "new email address" text in email update form to correctly say "current email address"

Test plan

  • 7 new integration tests covering all security flows (register/login token creation, logout revocation, token rotation, reuse detection, legacy rejection, automatic dependency refresh)
  • Updated existing unit tests for new JTI-aware token API
  • All 298 tests pass (291 existing + 7 new)
  • Manual testing of register, login, logout, and email update flows

Closes #81

🤖 Generated with Claude Code

Add server-side refresh token tracking with JTI claims, token rotation,
reuse detection, and proper revocation on logout/email change. Fixes #81.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@chriscarrollsmith chriscarrollsmith linked an issue Mar 14, 2026 that may be closed by this pull request
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@chriscarrollsmith chriscarrollsmith merged commit 0612c20 into main Mar 14, 2026
2 checks passed
@chriscarrollsmith chriscarrollsmith deleted the 81-strengthen-security-of-token-refresh-flow branch March 14, 2026 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Strengthen security of token refresh flow

1 participant