Skip to content

feat: implement refresh token rotation#526

Open
hashhhh-16 wants to merge 2 commits into
niharika-mente:mainfrom
hashhhh-16:feat/refresh-token-rotation
Open

feat: implement refresh token rotation#526
hashhhh-16 wants to merge 2 commits into
niharika-mente:mainfrom
hashhhh-16:feat/refresh-token-rotation

Conversation

@hashhhh-16

Copy link
Copy Markdown
Contributor

Summary

Implements refresh token rotation for JWT-based authentication.

Changes Made

  • Added refreshToken field to the User model for server-side refresh token tracking.
  • Added JWT_REFRESH_SECRET configuration for refresh token signing and verification.
  • Introduced helper functions to generate access and refresh tokens separately.
  • Updated login flow to issue both access and refresh tokens.
  • Added POST /auth/refresh endpoint.
  • Implemented refresh token rotation by generating and storing a new refresh token on every successful refresh request.
  • Invalidated stored refresh tokens during logout.
  • Updated authentication-related tests to reflect the new token response structure.

Security Improvements

  • Prevents reuse of old refresh tokens after a successful refresh.
  • Ensures refresh tokens can be invalidated on logout.
  • Adds server-side validation of refresh tokens before issuing new access tokens.
  • Reduces the impact of refresh token leakage by rotating tokens after each use.

Testing

  • Updated authentication test assertions for access token and refresh token responses.
  • Verified controller and route syntax using:
node --check controllers/auth.controller.js
node --check routes/auth.routes.js

Related Issue

Closes #456

@vercel

vercel Bot commented Jun 28, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the niharika-mente's projects Team on Vercel.

A member of the Team first needs to authorize it.

Aamod007
Aamod007 previously approved these changes Jul 2, 2026

@Aamod007 Aamod007 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Aamod007 Aamod007 self-requested a review July 2, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: rotate JWT refresh tokens on every use (Refresh Token Rotation)

2 participants