BenoitSafari
commented
1 year ago We should update the refreshToken hook verification with the following strategy =>
- Decode Refresh/Access tokens.
- Compare delivery dates.
- If they does not match, disconnect the user.
The actual API doesn't include a safety mechanism that prevents someone to use an old - yet still valid - intercepted refresh token.
One solution could be a iat comparison with the accessToken. If the two dates are identical, it certifies the tokens have been emitted at the same time, and that the refreshToken is the last rT delivered.
I tried something in this file (beginning at l74) : https://github.com/Julien-Goletto/fastify-boilerplate/blob/main/src/modules/auth/auth.handler.ts