Refresh Token Automatic Reuse Detection #257
Replies: 1 comment 1 reply
-
|
Hi there 👋 You'll have to add some additional logic in your async function getRefreshToken(token: string): Promise<RefreshToken | falsey> {
const refreshToken = refreshTokenRepository.findByToken(token)
const user = userRepository.findOne(refreshToken.userUuid)
const client = clientRepository.findOne(refreshToken.clientUuid)
if (!refreshToken) {
return null
} else if (refreshToken.deletedAt) {
refreshTokenRepository.deleteAllLinkedRefreshTokens(token)
return null
} else {
return {
refreshToken: token,
user,
client
}
}
}So you'll also need to find a way to link all newly generated refreshTokens from I think you can achieve this with a "hacky" modification of the } else {
user.initialRefreshTokenUuid = refreshToken.initialUuid ?? refreshToken.uuid
return {
refreshToken: token,
user,
client
}
}So now you can implement the function saveToken (token: Token, client: Client, user: User): Promise<string> {
await refreshTokenRepository.insert({
initialUuid: user.initialRefreshTokenUuid,
refreshToken: token.refreshToken
})
} |
Beta Was this translation helpful? Give feedback.
-
|
Sorry for my late answer, was on vacation. |
Beta Was this translation helpful? Give feedback.
-
I'm looking for a reuse detection for refresh tokens. Like described here https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/#Refresh-Token-Automatic-Reuse-Detection or here https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-4.12
Currently (as far as I understood it), its possible for a third person to use a compromised refresh token forever, as soon as this third person has refreshed the token before the user did it.
What do you think, is that something we should implement? Or do I just have not seen it, and its already there?
Beta Was this translation helpful? Give feedback.
All reactions