You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Refresh tokens live 30 days and cannot be invalidated early. Logout only clears the access token on the client. A stolen refresh token gives an attacker a month of access.
Changes
Redis key auth:revoked_refresh:{jti} with TTL = remaining lifetime of the token.
backend/auth/src/services/auth.py — on Logout, on password change, and on DeleteUser, insert the jti of the user's active refresh tokens into the revocation set.
RefreshTokens handler checks Redis before minting new access tokens.
Summary
Refresh tokens live 30 days and cannot be invalidated early. Logout only clears the access token on the client. A stolen refresh token gives an attacker a month of access.
Changes
auth:revoked_refresh:{jti}with TTL = remaining lifetime of the token.backend/auth/src/services/auth.py— onLogout, on password change, and onDeleteUser, insert thejtiof the user's active refresh tokens into the revocation set.RefreshTokenshandler checks Redis before minting new access tokens.auth_refresh_revoked_hit_total(see feat(observability): structured logging, metrics, tracing #10).Verification
/Logout./RefreshTokenswith the old refresh — returnsUNAUTHENTICATED.