Describe the bug
Currently the endpoint used to refresh our PASETO tokens doesn't check for the validity or the state of a client or the token itself, allowing for deactivated or deleted clients to obtain a new albeit non functional token from the refresh endpoint.
As we want those tokens to be banned as quick as possible, those checks should be done during token refreshs as well.
To Reproduce
W/A
Expected behavior
W/A
Screenshots
W/A
Desktop (please C omplete the following information):
W/A
Smartphone (please complete the following information):
W/A
alexandreteles
commented
1 year ago
Describe the bug Currently the endpoint used to refresh our PASETO tokens doesn't check for the validity or the state of a client or the token itself, allowing for deactivated or deleted clients to obtain a new albeit non functional token from the refresh endpoint.
As we want those tokens to be banned as quick as possible, those checks should be done during token refreshs as well.
To Reproduce W/A
Expected behavior W/A
Screenshots W/A
Desktop (please C omplete the following information): W/A
Smartphone (please complete the following information): W/A
Additional context ToDo