consider if the UUID generated for refresh token can be somehow signed by a secret key known only on the server and this way the refresh cannot be attacked by replaying random UUIDs, it needs to be properly signed
implement chain of refresh token
add parent_token, revoked_at and breached_at to refresh token
when a refresh token is used, set revoked_at to the current timestamp
if we get a request for a revoked refresh token, that is an attempt to replay refresh and the whole chain is compromised
Refresh token implementation can be improved:
consider if the UUID generated for refresh token can be somehow signed by a secret key known only on the server and this way the refresh cannot be attacked by replaying random UUIDs, it needs to be properly signed
implement chain of refresh token