Implement JWT token rotation for authentication#1620
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces opt-in JWT access token rotation for external authentication used by the Jetstream Desktop app and the Jetstream Web Extension. It adds a client capability header, rotates tokens during /auth/verify, and updates persistence + tests to validate rotated token behavior.
Changes:
- Add
X-Supports-Token-Rotationheader and plumb it through desktop + web extension auth verification. - Implement server-side rotation via conditional DB update (race-safe) + LRU cache invalidation.
- Add E2E coverage for rotation success, backward compatibility (no header), and logout invalidation.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| libs/shared/constants/src/lib/shared-constants.ts | Adds the new X-Supports-Token-Rotation header constant. |
| apps/jetstream-web-extension/src/extension-scripts/service-worker.ts | Sends rotation header and persists rotated tokens returned by /auth/verify. |
| apps/jetstream-e2e/src/tests/authentication/external-auth/external-auth-logged-in.spec.ts | Adds E2E scenarios validating rotation + invalidation semantics. |
| apps/jetstream-desktop/src/services/ipc.service.ts | Updates desktop auth-check flow to accept rotated tokens and refresh expiry. |
| apps/jetstream-desktop/src/services/api.service.ts | Updates verify schema + always advertises rotation support to the API. |
| apps/api/src/app/services/external-auth.service.ts | Adds rotateToken, cache invalidation helper, short token duration, and jti issuance. |
| apps/api/src/app/db/web-extension.db.ts | Adds replaceTokenIfCurrent for race-safe token replacement in DB. |
| apps/api/src/app/controllers/web-extension.controller.ts | Adds optional rotated token to verify response + invalidates cache on logout. |
| apps/api/src/app/controllers/desktop-app.controller.ts | Adds optional rotated token to verify response + invalidates cache on logout. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
paustint
force-pushed
the
sec/improve-jwt-token-storage-webext-desktop
branch
from
48d9edc to
b1b5447
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
paustint
force-pushed
the
sec/improve-jwt-token-storage-webext-desktop
branch
from
b1b5447 to
1d0c78f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
paustint
force-pushed
the
sec/improve-jwt-token-storage-webext-desktop
branch
from
1d0c78f to
6465990
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
paustint
force-pushed
the
sec/improve-jwt-token-storage-webext-desktop
branch
from
6465990 to
7c3130b
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
paustint
force-pushed
the
sec/improve-jwt-token-storage-webext-desktop
branch
from
7c3130b to
7340eec
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
paustint
force-pushed
the
sec/improve-jwt-token-storage-webext-desktop
branch
from
7340eec to
d04b6a0
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Introduce JWT token rotation for both desktop and web extension authentication, enhancing security by allowing tokens to be replaced conditionally based on their current state. This update includes support for token rotation in the authentication flow and modifies relevant schemas and routes accordingly.