JasperKent
commented
5 months ago Yes that's correct. Each new login will overwrite any existing refresh token. It would be perfectly possible to store multiple refresh tokens for a single user, but that would lead to a potential slight reduction in security. As ever, it's a balance between convenience and security.
If I understand this correctly, when logging in on my browser, and then logging in on my phone. My user account's refresh token gets overwritten. Wouldn't you need to save the tokens in a separate one-to-many table instead of the user's entity?