On login client will receive 2 tokens: accessToken and refreshToken.
AccessToken is used only in accessing authorized endpoints and have short lifetime.
RefreshToken is used for refreshing accessToken on /auth/refreshToken endpoint (this endpoint returns accessToken)
At any given moment of time user can only have 1 pair of access/refresh tokens assigned to them for security reasons. (I can change that behavior)
On delete, all pairs of access/refresh tokens are deleted from the registry => client will not be able to access authorized endpoints on user delete.
On login, all pairs of access/refresh tokens are being regenerated.
In the next PR I want to create logout endpoint that will delete currently stored token pairs for specific user from memory which will make those tokens invalid.
On login client will receive 2 tokens: accessToken and refreshToken. AccessToken is used only in accessing authorized endpoints and have short lifetime. RefreshToken is used for refreshing accessToken on /auth/refreshToken endpoint (this endpoint returns accessToken)
At any given moment of time user can only have 1 pair of access/refresh tokens assigned to them for security reasons. (I can change that behavior)
On delete, all pairs of access/refresh tokens are deleted from the registry => client will not be able to access authorized endpoints on user delete.
On login, all pairs of access/refresh tokens are being regenerated.
In the next PR I want to create logout endpoint that will delete currently stored token pairs for specific user from memory which will make those tokens invalid.