Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: ability to revoke refresh tokens #45

Open
probablyArth opened this issue Jun 6, 2023 · 0 comments
Open

Feat: ability to revoke refresh tokens #45

probablyArth opened this issue Jun 6, 2023 · 0 comments

Comments

@probablyArth
Copy link
Contributor

probablyArth commented Jun 6, 2023
edited by hussu010
Loading

As a user, I wish to be able to revoke refresh tokens so that if refresh tokens get leaked, the attacker wone be able to generate new access tokens.

Implementation details:

  • Add an extra field on refreshToken payload called tokenId
  • Create a table called BlacklistedRefreshToken.
  • Add the revoked refreshTokens to that table.
  • While the user tries to generate accessToken using refreshToken, verify its not blacklisted.
@hussu010 hussu010 changed the title refresh the refresh tokens Feat: ability to revoke refresh tokens Jun 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Maakay
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@probablyArth