Skip to content

feat(auth): rotate refresh token#98

Merged
Besthope-Official merged 3 commits into
mainfrom
feat/refresh-token-rotation
Jan 30, 2026
Merged

feat(auth): rotate refresh token#98
Besthope-Official merged 3 commits into
mainfrom
feat/refresh-token-rotation

Conversation

@Besthope-Official
Copy link
Copy Markdown
Contributor

@Besthope-Official Besthope-Official commented Jan 30, 2026
edited
Loading

Related Issue

Closes #96

Summary of Changes

  • Implement refresh token rotation on /auth/jwt/refresh endpoint
  • Old refresh token is invalidated on each refresh, new token issued alongside access token
  • Remove unused AccessTokenResponse schema

Breaking Changes

  • POST /auth/jwt/refresh response now includes refresh_token field (was access_token only)
  • Clients must store and use the new refresh token for subsequent calls;

Checklist

  • Issue discussion completed before opening PR
  • Scope is small and focused (single feature/fix)
  • All functions have full type annotations
  • Async/await used for all I/O operations
  • Tests added for new behaviors

Test plan

  • test_refresh_token_rotation verifies old token returns 401 after rotation
  • test_refresh_token_rotation verifies new token works (returns 200)

@Besthope-Official Besthope-Official added enhancement New feature or request Backend-enhanced backend enhancement labels Jan 30, 2026
@Besthope-Official Besthope-Official merged commit d81762c into main Jan 30, 2026
3 checks passed
@Besthope-Official Besthope-Official deleted the feat/refresh-token-rotation branch January 30, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Backend-enhanced backend enhancement enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Refresh Token Rotation

1 participant

@Besthope-Official