Skip to content

feat: JWT refresh token rotation implemented #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
04shubham7 merged 10 commits into from
Oct 27, 2025
Merged

feat: JWT refresh token rotation implemented #49

04shubham7 merged 10 commits into from
Oct 27, 2025

Conversation

@ADARSHsri2004
Copy link
Contributor

@ADARSHsri2004 ADARSHsri2004 commented Oct 25, 2025

Description

This pull request completes the full backend implementation of the JWT-based authentication system with Refresh Token Rotation. It also integrates and finalizes two external OAuth providers.

Key features implemented include:

  • 🔄 Token Rotation: Implemented the /api/auth/refresh endpoint for securely issuing a new Access Token and rotating the Refresh Token stored as an HTTP-only cookie.
  • 🚪 Logout: Implemented the /api/auth/logout controller to clear the HTTP-only cookie and delete the token from the database.
  • 🔒 Access Control: Implemented the protect middleware to secure routes like /api/auth/me.

Semver Changes

  • Patch (bug fix, no new features)
  • Minor (new features, no breaking changes)
  • Major (breaking changes)

Issues

Closes #25

Checklist

  • I have read the Contributing Guidelines.

@04shubham7 04shubham7 requested a review from Copilot October 26, 2025 06:24
Copilot AI reviewed Oct 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements JWT refresh token rotation for enhanced authentication security, replacing the previous single-token approach with separate access and refresh tokens. The implementation includes token rotation on refresh, secure logout, and protected route access control.

Key Changes:

  • Introduced dual-token system with separate access and refresh tokens, each using dedicated JWT secrets and configurable expiration times
  • Implemented refresh token rotation with reuse detection to mitigate token theft attacks
  • Added logout functionality that properly clears cookies and invalidates refresh tokens from the database

Reviewed Changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
backend/src/utils/generateToken.ts Split token generation into separate functions for access and refresh tokens with configurable expiration
backend/src/routes/authRoutes.ts Added new routes for logout and token refresh endpoints
backend/src/models/userModel.ts Extended user schema to store array of valid refresh tokens
backend/src/middleware/authMiddleware.ts Updated to use new JWT_ACCESS_SECRET environment variable
backend/src/controllers/authController.ts Implemented refresh token rotation, logout logic, and OAuth callback with token management
backend/src/app.ts Added cookie-parser middleware for handling HTTP-only cookies
backend/package.json Added cookie-parser dependency and its TypeScript types
Files not reviewed (2)
  • backend/package-lock.json: Language not supported
  • frontend/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

04shubham7
04shubham7 approved these changes Oct 26, 2025
View reviewed changes
Copy link
Member

@04shubham7 04shubham7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks Fine

@04shubham7
Copy link
Member

04shubham7 commented Oct 26, 2025

@ADARSHsri2004 go through the copilot's issues resolve them one by one pls before getting merged

@ADARSHsri2004
Copy link
Contributor Author

ADARSHsri2004 commented Oct 26, 2025

@04shubham7 changes have been applied

@04shubham7 04shubham7 requested a review from Copilot October 27, 2025 04:08
Copilot AI reviewed Oct 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 7 out of 9 changed files in this pull request and generated 8 comments.

Files not reviewed (2)
  • backend/package-lock.json: Language not supported
  • frontend/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ADARSHsri2004
Copy link
Contributor Author

ADARSHsri2004 commented Oct 27, 2025

@04shubham7 I have applied the changes

04shubham7
04shubham7 approved these changes Oct 27, 2025
View reviewed changes
Copy link
Member

@04shubham7 04shubham7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks Fine

@04shubham7 04shubham7 merged commit afbc425 into OPCODE-Open-Spring-Fest:main Oct 27, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@04shubham7 04shubham7 04shubham7 approved these changes

Assignees

No one assigned

Labels

hacktoberfest-accepted PR:Accept Semver:minor Type:Medium medium level issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature]: JWT Refresh Token Rotation

2 participants

@ADARSHsri2004 @04shubham7