Ferrous-Solitaire/.sqlx/query-ef7af925a8715c329dcafca5257c691e6bca31755eb5f54be47114f21fc04c8c.json at master - Ferrous-Solitaire - Fun's Cup of Tea

funman300/Ferrous-Solitaire

Files

T

funman300 b129664344 feat(auth): refresh token rotation via jti tracking

Adds a `refresh_tokens` table (migration 003) with one row per live
refresh token, keyed by UUID jti. On every POST /api/auth/refresh the
old jti row is deleted and a new token pair is issued and stored. Using
a consumed token returns 401. Expired rows are pruned inline on each
successful rotation.

Server: Claims gains an optional `jti` field; make_refresh_token now
returns (jwt, jti); register/login insert the jti row; RefreshResponse
now carries both tokens. Client: stores the rotated refresh token from
the response. ARCHITECTURE.md: API table + Security Model updated.
Three new integration tests cover rotation, consumed-token rejection,
and chained rotations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-12 13:34:42 -07:00

13 lines

269 B

JSON

Raw Permalink Blame History

 {
   "db_name": "SQLite",
   "query": "DELETE FROM refresh_tokens WHERE expires_at < ?",
   "describe": {
     "columns": [],
     "parameters": {
       "Right": 1
     },
     "nullable": []
   },
   "hash": "ef7af925a8715c329dcafca5257c691e6bca31755eb5f54be47114f21fc04c8c"
 }