feat: simplify token reuse algorithm #1072

kangmingtay · 2023-04-11T10:25:43Z

What kind of change does this PR introduce?

We decided that the check for whether a revoked refresh token is the parent of the most recently issued valid refresh token only improves the reuse detection marginally at the expense of leading to more random logout issues when an old refresh token is accidentally used twice.
Also, logging the revoked refresh token's ID so that it's easier to track if the client is sending very stale tokens

internal/api/token.go

github-actions · 2023-04-11T15:07:55Z

🎉 This PR is included in version 2.60.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

fix: remove parent check from reuse detection

581cf0c

kangmingtay requested a review from a team as a code owner April 11, 2023 10:25

kangmingtay self-assigned this Apr 11, 2023

hf reviewed Apr 11, 2023

View reviewed changes

internal/api/token.go Outdated Show resolved Hide resolved

feat: simplify token reuse algorithm

bf8c55e

hf changed the title ~~fix: remove parent check from reuse detection~~ feat: simplify token reuse algorithm Apr 11, 2023

mansueli approved these changes Apr 11, 2023

View reviewed changes

fix tests

421ed7b

hf approved these changes Apr 11, 2023

View reviewed changes

hf merged commit 9ee3ab6 into master Apr 11, 2023

hf deleted the km/fix-reuse-detection branch April 11, 2023 15:00

github-actions bot added the released label Apr 11, 2023