Skip to content

Title: Add refresh token rotation to auth serviceLabels: enhancement security #68

Description

@Uyoxy

Description

src/modules/auth/auth.service.ts lacks refresh token rotation.
Stolen refresh tokens remain valid indefinitely without rotation,
creating a security risk for all users.

Implementation Requirements

  • Update src/modules/auth/auth.service.ts to implement rotating refresh tokens
  • Add refreshToken and refreshTokenExpiry fields to src/modules/users/user.entity.ts
  • Add POST /auth/refresh endpoint in src/modules/auth/auth.controller.ts
  • Invalidate old refresh token after each use
  • Add unit tests in src/modules/auth/auth.service.spec.ts

Acceptance Criteria

  • POST /auth/refresh returns new access and refresh tokens
  • Old refresh token invalidated after use
  • Reusing old refresh token returns 401
  • Unit tests pass
  • npm run lint passes
  • CI checks pass before PR is merged

Evidence Required

Contributors must provide ALL of the following:

  • Screenshot of server running with npm run start:dev
  • Screenshot of Postman or curl showing POST /auth/refresh returning new tokens
  • Screenshot of reused token returning 401
  • Screenshot of passing CI checks on the PR

Files Affected

  • src/modules/auth/auth.service.ts (modify)
  • src/modules/auth/auth.controller.ts (modify)
  • src/modules/users/user.entity.ts (modify)
  • src/modules/auth/auth.service.spec.ts (create)

Metadata

Metadata

Assignees

Labels

GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official Campaign

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions