Lots of tests in this PR. Pull down the code and run. I'd love to try this stuff against your ReactApp.
AuthenticationsController is responsible for logging a user in with their email and password and also deleting their session by logging out
RenewalsController is responsible for attempting to refresh an access token
api/v1/protected/SessionsController is responsible for READONLY access to session information. The refresh token id (RUID) is never transmitted. There is one PATCH/PUT action; invalidate. Passing a SESSION.ID (not RUID) to the invalidate method will attempt to invalidate that session by immediately expiring that refresh token thereby destroying that session's ability to renew the next time the access token expires.
api/v1/protected/UsersController is responsible for User CRUD
Some global notes about this PR:
AuthenticationsControlleris responsible for logging a user in with their email and password and also deleting their session by logging outRenewalsControlleris responsible for attempting to refresh an access tokenapi/v1/protected/SessionsControlleris responsible for READONLY access to session information. The refresh token id (RUID) is never transmitted. There is one PATCH/PUT action;invalidate. Passing aSESSION.ID(notRUID) to theinvalidatemethod will attempt to invalidate that session by immediately expiring that refresh token thereby destroying that session's ability to renew the next time the access token expires.api/v1/protected/UsersControlleris responsible for User CRUDLots of TODOs. I'll markup #1 and this PR.