Skip to content

fix(auth): implement refresh token rotation endpoint#3421

Open
Daksh7785 wants to merge 1 commit into
ritesh-1918:gssocfrom
Daksh7785:fix/refresh-token-rotation
Open

fix(auth): implement refresh token rotation endpoint#3421
Daksh7785 wants to merge 1 commit into
ritesh-1918:gssocfrom
Daksh7785:fix/refresh-token-rotation

Conversation

@Daksh7785

Copy link
Copy Markdown

Summary

Implemented a missing token refresh endpoint to support refresh token rotation, reducing the risk of token replay attacks, and added a secure logout endpoint for proper session termination.


Root Cause

The authentication flow issued long-lived refresh tokens (7 days) but did not expose any endpoints to utilize these tokens. As a result, the application lacked refresh token rotation, meaning an intercepted refresh token could remain valid for its entire lifetime.


Solution

  • Added a POST /auth/refresh endpoint that accepts the refresh_token HTTP-only cookie.
  • Leveraged supabase.auth.refresh_session() to securely validate the token, issue a new session, and automatically handle the invalidation/rotation of the previous refresh token.
  • Set the newly rotated access and refresh tokens securely via _set_session_cookies().
  • Added a POST /auth/logout endpoint that signs the user out of the Supabase backend and clears the session cookies.

Files Changed

  • backend/main.py:
    • Added auth_refresh logic.
    • Added auth_logout logic.

Testing

  • Build passed
  • Lint passed
  • Manual code verification completed for safe session handling

Impact

  • Breaking changes: No
  • Performance impact: Negligible
  • Security impact: High (Positive) - Severely limits the window of opportunity if a refresh token is stolen, complying with OAuth 2.0 best practices.
  • Compatibility: Fully backward compatible with the current /auth/login cookie flow.

Checklist

  • Issue solved
  • Build passes
  • Lint passes
  • No unrelated changes
  • Ready for review

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9e08b0aa-6662-4640-bba2-8be10db4e5de

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant