Skip to content

Refresh reuse interval and reuse detection#117

Merged
thdxr merged 9 commits intoanomalyco:masterfrom
pverheggen:feat/2-refresh-token-leeway
Jan 9, 2025
Merged

Refresh reuse interval and reuse detection#117
thdxr merged 9 commits intoanomalyco:masterfrom
pverheggen:feat/2-refresh-token-leeway

Conversation

@pverheggen
Copy link
Contributor

@pverheggen pverheggen commented Dec 30, 2024
edited
Loading

Refresh tokens can be reused multiple times within a certain window after their first use, configured by the ttl.refreshReuse option.

Also adds a ttl.refreshRetention option, which sets the number of seconds after the reuse interval to retain for reuse detection.

@changeset-bot
Copy link

changeset-bot bot commented Dec 30, 2024
edited
Loading

🦋 Changeset detected

Latest commit: a8c3a7f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@openauthjs/openauth Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pverheggen pverheggen mentioned this pull request Dec 30, 2024
Closed
@thdxr
Copy link
Contributor

thdxr commented Jan 2, 2025

cool! we definitely need to do this. only gave it a cursory look but in my head i imagined rewriting the refresh token back to the store with a new expiry so it would be cleaned up eventually

does that make sense at all?

@pverheggen pverheggen force-pushed the feat/2-refresh-token-leeway branch from d4d53dc to b4cf5b4 Compare January 6, 2025 22:00
@pverheggen pverheggen force-pushed the feat/2-refresh-token-leeway branch from 14a8969 to 1cb1837 Compare January 7, 2025 18:13
@pverheggen pverheggen changed the title Refresh token leeway and reuse detection Refresh reuse interval and reuse detection Jan 7, 2025
@pverheggen
Copy link
Contributor Author

pverheggen commented Jan 7, 2025
edited
Loading

cool! we definitely need to do this. only gave it a cursory look but in my head i imagined rewriting the refresh token back to the store with a new expiry so it would be cleaned up eventually

does that make sense at all?

Yup, that's currently the way it works. The new expiry is determined by (refreshReuse + refreshRetention), so 60s by default. The reason refreshRetention gets added to the expiry is so that it can be kept around for reuse detection, which is supposed to mitigate replay attacks.

I made some more updates since the previous draft, and think it's good to go now:

  • JSDoc strings and comments where appropriate
  • Unit tests
  • Renamed "leeway" to "reuse interval". Apparently leeway is unrelated and has to do with clock skew (at least how Auth0 defines it.)
  • Fixed a bug with token invalidation that I ran into, described in the changeset. If that fix needs more discussion, I could split that out into a separate PR.

@pverheggen pverheggen marked this pull request as ready for review January 7, 2025 19:11
@mwood23
Copy link

mwood23 commented Jan 7, 2025

This is an amazing addition, thank you @pverheggen for putting in the work on this. OpenAuth isn't really usable in a SPA without it.

@thdxr thdxr merged commit 92e7170 into anomalyco:master Jan 9, 2025
0 of 2 checks passed
@thdxr
Copy link
Contributor

thdxr commented Jan 9, 2025

thank you for the contribution! made some minor tweaks to match some naming conventions we have but great

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pverheggen @thdxr @mwood23