You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: Refresh tokens are stored in plaintext and refresh flow does not validate sessions or rotate tokens. Hash tokens and implement rotation.
Current state: UserSession.refreshToken stores raw token; AuthController.refresh-token only checks JWT validity, not session state; invalidate exists but rotation is missing.
Tasks:
Store refreshTokenHash (e.g., SHA-256) instead of raw token; migrate schema accordingly.
On login: issue refresh token, persist only the hash with expiry and device info.
On refresh: validate against stored hash and isValid, then rotate (issue new refresh token, invalidate old session).
On logout/invalidate: mark session invalid by hash.
Acceptance criteria:
Raw refresh token never persisted; rotation works and old token cannot be reused.
