fix(auth): implement refresh token rotation endpoint#3421
Conversation
|
Someone is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Implemented a missing token refresh endpoint to support refresh token rotation, reducing the risk of token replay attacks, and added a secure logout endpoint for proper session termination.
Root Cause
The authentication flow issued long-lived refresh tokens (7 days) but did not expose any endpoints to utilize these tokens. As a result, the application lacked refresh token rotation, meaning an intercepted refresh token could remain valid for its entire lifetime.
Solution
POST /auth/refreshendpoint that accepts therefresh_tokenHTTP-only cookie.supabase.auth.refresh_session()to securely validate the token, issue a new session, and automatically handle the invalidation/rotation of the previous refresh token._set_session_cookies().POST /auth/logoutendpoint that signs the user out of the Supabase backend and clears the session cookies.Files Changed
backend/main.py:auth_refreshlogic.auth_logoutlogic.Testing
Impact
/auth/logincookie flow.Checklist