Skip to content

Commit

Permalink
feat(auth): add refresh token rotation security
Browse files Browse the repository at this point in the history 
Refresh tokens are generated for the user at all times. Refresh tokens are rotated everytime a
refresh token is used. If a refresh token is used twice, it is marked as compromised and the user is
locked out.
  • Loading branch information
Frantz Kati committed Nov 26, 2020
1 parent 72e8b42 commit edf90e4
Show file tree
Hide file tree
Showing 9 changed files with 248 additions and 18,301 deletions.
4 changes: 0 additions & 4 deletions examples/blog/app.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,6 @@ module.exports = tensei()
.teams()
.apiPath('auth')
.rolesAndPermissions()
.jwt({
expiresIn: 60,
refreshTokenExpiresIn: 60 * 2,
})
.social('github', {
key: process.env.GITHUB_KEY,
secret: process.env.GITHUB_SECRET,
Expand Down
12 changes: 10 additions & 2 deletions packages/auth/src/config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,19 +33,27 @@ export type AuthResources = {
permission: ResourceContract
teamInvite: ResourceContract
passwordReset: ResourceContract
token: ResourceContract
}

export enum TokenTypes {
REFRESH = 'REFRESH',
API = 'API'
}

export interface AuthPluginConfig {
fields: FieldContract[]
profilePictures: boolean
userResource: string
roleResource: string
disableCookies: boolean
permissionResource: string
rolesAndPermissions: boolean
passwordResetResource: string
apiPath: string
jwt: {
expiresIn: number
tokensConfig: {
secretKey: string
accessTokenExpiresIn: number
refreshTokenExpiresIn: number
}
refreshTokenCookieName: string
Expand Down
Loading

0 comments on commit edf90e4

Please sign in to comment.