Open alittlebroken opened 1 year ago
Currently we only supply the user id when we check the refreshtokens table in the database when we wish to see if the user already has a refreshtoken.
To make it more secure we should also check against another piece of information.
I suggest we use the token itself as well as this will be stored in a httpOnly cookie and never seen by the end user.
Currently we only supply the user id when we check the refreshtokens table in the database when we wish to see if the user already has a refreshtoken.
To make it more secure we should also check against another piece of information.
I suggest we use the token itself as well as this will be stored in a httpOnly cookie and never seen by the end user.