Implement POST /api/auth/refresh Endpoint #32

Closed
opened 2025-10-17 23:27:12 +00:00 by Rodrigo2003-PT · 0 comments
Rodrigo2003-PT commented 2025-10-17 23:27:12 +00:00 (Migrated from github.com)

This new endpoint will exchange a valid refresh token for a new access token.

Tasks:

  • Create the route for POST /api/auth/refresh.
  • Expect the refresh_token in the request body (or read from cookie).
  • Call token_service.validate_refresh_token.
  • If valid, generate a new access_token and return it.
  • Implement Refresh Token Rotation: when a refresh token is used, revoke it and issue a new refresh token along with the new access token. This prevents token re-use if one is compromised.
  • If the refresh token is invalid, expired, or revoked, return 401 Unauthorized.
This new endpoint will exchange a valid refresh token for a new access token. Tasks: - Create the route for `POST /api/auth/refresh`. - Expect the `refresh_token` in the request body (or read from cookie). - Call `token_service.validate_refresh_token`. - If valid, generate a *new* `access_token` and return it. - Implement **Refresh Token Rotation**: when a refresh token is used, revoke it and issue a new refresh token along with the new access token. This prevents token re-use if one is compromised. - If the refresh token is invalid, expired, or revoked, return `401 Unauthorized`.
Sign in to join this conversation.
No description provided.