Description
src/modules/auth/auth.service.ts lacks refresh token rotation.
Stolen refresh tokens remain valid indefinitely without rotation,
creating a security risk for all users.
Implementation Requirements
- Update
src/modules/auth/auth.service.ts to implement rotating refresh tokens
- Add
refreshToken and refreshTokenExpiry fields to src/modules/users/user.entity.ts
- Add
POST /auth/refresh endpoint in src/modules/auth/auth.controller.ts
- Invalidate old refresh token after each use
- Add unit tests in
src/modules/auth/auth.service.spec.ts
Acceptance Criteria
Evidence Required
Contributors must provide ALL of the following:
Files Affected
src/modules/auth/auth.service.ts (modify)
src/modules/auth/auth.controller.ts (modify)
src/modules/users/user.entity.ts (modify)
src/modules/auth/auth.service.spec.ts (create)
Description
src/modules/auth/auth.service.tslacks refresh token rotation.Stolen refresh tokens remain valid indefinitely without rotation,
creating a security risk for all users.
Implementation Requirements
src/modules/auth/auth.service.tsto implement rotating refresh tokensrefreshTokenandrefreshTokenExpiryfields tosrc/modules/users/user.entity.tsPOST /auth/refreshendpoint insrc/modules/auth/auth.controller.tssrc/modules/auth/auth.service.spec.tsAcceptance Criteria
POST /auth/refreshreturns new access and refresh tokensnpm run lintpassesEvidence Required
Contributors must provide ALL of the following:
npm run start:devPOST /auth/refreshreturning new tokensFiles Affected
src/modules/auth/auth.service.ts(modify)src/modules/auth/auth.controller.ts(modify)src/modules/users/user.entity.ts(modify)src/modules/auth/auth.service.spec.ts(create)