There should be a logout route where the header will contain a refresh token.
E.g. Authorization -> Bearer TOKEN_VALUE
The refresh token must be invalidated by adding that token to the blacklist collection.
The blacklist collection schema:
Field
Description
timestamp
Expiry timestamp of refresh token. (It is necessary to store the timestamp with the refresh token to make it easier to clear up already expired refresh token in regular intervals.)
This is a sub issue of #9
Tasks
The blacklist collection schema: