Refresh token reuse should invalidate all refresh tokens

[wesamjabali]

In useRefreshToken, you should delete all refresh tokens from redis. If a hacker has one refresh token, we can assume they have more than one. We should invalidate all refresh tokens, and possibly even notify the user that they should change their password.

This is taken from Auth0's recommendation here: https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation

[dkantereivin]

I assume you're talking about invalidating all tokens for a particular user. This is likely to end up in whatever final implementation of this, but I don't think there's one behaviour that will apply in the scenario of a compromise, which is why I have left it unimplemented and with a comment in the docs. For example, I might want to do any of the following:

1. Invalid other tokens by the same user, as you've suggested.
2. Send a security notification.
3. Lock out the user entirely and require more than just reauthentication.

In particular, step 3 would require a different implementation wherein the DB is checked for user security status (which actually already occurs, implicitly through the "disabled" field). This would prevent the user from using their refresh token for anything meaningful.