Open fpignatelli opened 2 years ago
same for me, and event more if I run token refresh endpoint it return back new JWT token but same refresh token. If I'm not mistaken refresh should invalidate provided refresh token and create new one
same here
@bogdan-dubyk This behaviour is configurable by using the single_use
parameter:
https://github.com/markitosgv/JWTRefreshTokenBundle#single-use-tokens
I have configured LexikJWTAuthenticationBundle + JWTRefreshTokenBundle in Symfony 6.1/mySQL. Everything works correctly, but if I send username and password several times (for example from Postman), more refresh tokens referring to the user are inserted in the database. In this way a user (malicious or not) can send repeated calls filling the database with a refresh token.
Is it a configuration error? some idea?
Thanks in advance.
lexik_jwt_authentication.yaml
gesdinet_jwt_refresh_token.yaml
security.yaml