Skip to content

feat(auth): refresh tokens with short-lived access tokens #32

Description

@trinhvandat

Context (P1 — security)

A single 24h JWT (app.jwt.expiration-ms=86400000) is a long blast radius with no revocation path.

Scope

  • Refresh token entity (opaque random token, hashed at rest, per-device row, expiry ~14d) + rotation on use with reuse detection
  • POST /api/v1/auth/refresh + POST /api/v1/auth/logout (revokes the family)
  • Drop access-token TTL to ~15min (configurable)
  • Liquibase changeset for the refresh_token table

Acceptance criteria

  • Refresh rotates the token; reusing a rotated token revokes the family (tests)
  • Access tokens expire at the configured short TTL; existing tests updated
  • Security review done (touches auth flow + JWT config)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions