[Backend] Secure Refresh Token Rotation Mechanisms

[armorbreak001]

Fixes #294

What was done

Prisma Schema

• Added RefreshToken model to schema.prisma:
  • token (unique, SHA-256 hashed) — opaque random string, NOT a JWT
  • userId → User relation with cascade delete
  • expiresAt — 7-day TTL
  • replacedBy — links to new token after rotation (for replay detection)
  • revokedAt — timestamp when token was invalidated
  • Indexes on userId and token for fast lookups

RefreshTokenService (src/auth/refresh-token.service.ts)

• generate(userId): Creates a new opaque 64-byte hex token, stores SHA-256 hash in DB, returns raw token to client
• rotate(rawToken): The core security feature — validates existing token → marks it as replaced (with replacedBy link) → issues brand new token atomically via Prisma transaction
• Replay attack protection: If a revoked/replaced token is used again, the service detects reuse and revokes the entire token chain, forcing re-login
• revoke(rawToken): Single token revocation (logout)
• revokeAllForUser(userId): Bulk revocation (password change, security event)
• cleanupExpired(): Remove expired tokens (for scheduled jobs)

AuthService Updates

• All auth flows (login, register, walletAuth) now use RefreshTokenService.generate() instead of JWT-based refresh tokens
• POST /auth/refresh now calls rotate() — each refresh gets a completely new token, old one is invalidated
• Access token: 15 minutes TTL (short-lived)
• Refresh token: 7 days TTL (opaque, rotated on each use)

How to verify

1. Run cd backend && npx prisma db push to apply schema changes
2. Register/login a user — response includes both accessToken and refreshToken
3. Call POST /auth/refresh with {"refreshToken": "..."} — get a NEW refreshToken (old one is now invalid)
4. Try using the OLD refresh token again → should get 403 Token reuse detected error
5. Check refresh_tokens table in DB — see hashed tokens with revokedAt and replacedBy fields populated