Bug: Refresh token rotation lacks reuse-detection — stolen token can fork session family indefinitely

[Srejoye]

In apps/backend/src/routes/auth.ts, the POST /auth/refresh handler implements rotation: it marks the presented refreshToken as revokedAt and issues a new one in the same family. However, it never checks whether the presented token was already revoked before rotating.

Current flow:

1. Load storedToken by tokenHash.
2. If storedToken.revokedAt is set → return 401 "Refresh token revoked".
3. Otherwise revoke it and issue a new token in the same family.

This looks correct at first glance, but there is no logic anywhere that revokes the entire family when a revoked token is reused. If an attacker steals a refresh token and uses it before the legitimate client does, both the attacker and the legitimate user end up with valid, divergent tokens in the same family — only the next user to present their (now-stale) token gets a 401 "Refresh token revoked", with no signal to the server that this indicates compromise. The legitimate user's session is silently broken while the attacker's forked session continues uninterrupted for up to 90 days (expiresAt: Date.now() + 90 * 24 * 60 * 60 * 1000).

There is no family-wide revocation (updateMany({ where: { family }, data: { revokedAt: ... } })) triggered on reuse-of-revoked-token detection, which is the standard mitigation for refresh token theft in rotating-token systems.

Affected: apps/backend/src/routes/auth.ts (POST /refresh handler, both around the storedToken.revokedAt check).

[github-actions]

Hi @Srejoye,

Thanks for opening this issue.

Please reply with one of the following areas so the issue can be routed to the appropriate team member:

- /backend
- /web
- /mobile
- /devops

Once an area is selected, the corresponding label will be added automatically.

[Srejoye]

/backend

[github-actions]

The issue has been classified as backend.

@Harxhit, please review and triage this issue when available.

The backend label has been applied and the issue has been routed accordingly.

[Srejoye]

Understanding: The refresh endpoint rotates tokens per-request and tracks a family UUID, but the revoked-token branch (if (storedToken.revokedAt)) only returns 401 — it doesn't treat "a revoked token was presented again" as a theft signal. In a correct rotation scheme, presenting an already-revoked token must invalidate the whole family, since it implies two parties hold copies of the same token chain.

Affected files: apps/backend/src/routes/auth.ts (POST /refresh), potentially apps/backend/src/utils/refreshToken.ts if a helper is added.

Proposed fix approach: In the if (storedToken.revokedAt) branch, before returning 401, issue app.prisma.refreshToken.updateMany({ where: { family: storedToken.family, revokedAt: null }, data: { revokedAt: new Date() } }) to kill all live tokens in that family, forcing full re-authentication for both attacker and victim.

Test considerations: Unit test simulating (a) normal rotation chain (token A → B → C, each old one revoked) succeeds; (b) presenting an already-revoked token A a second time results in token B and C (currently-live descendants) also being revoked, and subsequent /refresh with B returns 401.

Requesting this issue be assigned to me.

[Harxhit]

@Srejoye I have assigned this issue to you.