feat: jwt refresh token rotation

[HarshDobariya79]

This is a sub issue of #6

Tasks

• Setup refresh token rotation when received remember me in the payload.
• The blacklisting of the previous refresh token should be handled securely.
• The blacklisted token should be added in the collection already present with the expiration timestamp.

[het4399]

Hey, I would like to give it a try!.

[HarshDobariya79]

Hey, I would like to give it a try!.

Go ahead @het4399.

[HarshDobariya79]

Hey, I would like to give it a try!.

Go ahead @het4399.

Any update on the progress @het4399?

[het4399]

I am learning few things related to this issue and it will be completed by weekend.

[HarshDobariya79]

Contributor

Okay, no problem. Take your time. You can refer https://github.com/LJOSC/checkmark-backend/blob/e5a84bdbf5d490e43252f606b5ee532498e95113/src/routes/user/user.service.ts#L168 to understand how the blacklisting is being done. If you're planning to use the same dao function, please change the function name in user.dao.ts from logoutUser to blacklistToken to avoid confusion.

[HarshDobariya79]

Any progress @het4399?

[het4399]

Any progress @het4399?

Yes,I understand the project how the flow of the request is there,and learned about refresh token,as i was not aware about it exactly.According to the issue and requirement ,i am working on that.

[het4399]

Shall i make the remember me payload optional or mandatory?

[het4399]

@HarshDobariya79 ,Hey i should rotate the refereshtoken,during logout time?

[HarshDobariya79]

@HarshDobariya79 ,Hey i should rotate the refereshtoken,during logout time?

No, Het. During in the logout API it shouldn't be rotated, rather it should be blacklisted which is already being handled in the logout route. Whenever you get a request for renewing the access token, just send the refresh token as well with the new access token and blacklist the old refresh token. That's what we want as of now.

The condition we discussed before where we only need to send new refresh token when it is going to expire in the next 5 days, we need to skip that for now. Just send a new refresh token every time along with the new access token. Don't forget the blacklisting the old refresh token part.

[het4399]

@HarshDobariya79 ,Hey i should rotate the refereshtoken,during logout time?

No, Het. During in the logout API it shouldn't be rotated, rather it should be blacklisted which is already being handled in the logout route. Whenever you get a request for renewing the access token, just send the refresh token as well with the new access token and blacklist the old refresh token. That's what we want as of now.

The condition we discussed before where we only need to send new refresh token when it is going to expire in the next 5 days, we need to skip that for now. Just send a new refresh token every time along with the new access token. Don't forget the blacklisting the old refresh token part.

As everytime when we refresh accesstoken along with that refresh token is also changing and blacklisiting old refresh token.So, Remember Me will not play any role?Am i right?

[HarshDobariya79]

@HarshDobariya79 ,Hey i should rotate the refereshtoken,during logout time?

No, Het. During in the logout API it shouldn't be rotated, rather it should be blacklisted which is already being handled in the logout route. Whenever you get a request for renewing the access token, just send the refresh token as well with the new access token and blacklist the old refresh token. That's what we want as of now. The condition we discussed before where we only need to send new refresh token when it is going to expire in the next 5 days, we need to skip that for now. Just send a new refresh token every time along with the new access token. Don't forget the blacklisting the old refresh token part.

As everytime when we refresh accesstoken along with that refresh token is also changing and blacklisiting old refresh token.So, Remember Me will not play any role?Am i right?

For now let's go with that. Forget remember me for now.