Open
Description
As a user, I wish to be able to revoke refresh tokens so that if refresh tokens get leaked, the attacker wone be able to generate new access tokens.
Implementation details:
- Add an extra field on refreshToken payload called
tokenId - Create a table called
BlacklistedRefreshToken. - Add the revoked refreshTokens to that table.
- While the user tries to generate accessToken using refreshToken, verify its not blacklisted.
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Status
Todo
Activity