juancwu/authkit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cap refresh chain lifetime via RefreshChainAbsoluteTTL

Browse source 
Sessions had an absolute cap (created_at + SessionAbsoluteTTL) but the
JWT path only had per-token TTL on the refresh row, letting a
well-behaved client refresh indefinitely. Add chain_started_at to
authkit_tokens, copy it forward on every rotation, and reject in
RefreshJWT when now > chainStartedAt + RefreshChainAbsoluteTTL.
Default 30d, mirroring SessionAbsoluteTTL.

Schema, verifier, queries, model, and integration test updated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
juancwu 2026-04-26 23:41:02 +00:00
commit ca5525d4bd
11 changed files with 129 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

4
migrations/0001_init.sql
View file

@ -48,6 +48,10 @@ CREATE TABLE IF NOT EXISTS authkit_tokens (
kind TEXT NOT NULL,
user_id UUID NOT NULL REFERENCES authkit_users(id) ON DELETE CASCADE,
chain_id TEXT,
-- chain_started_at is the timestamp of the first refresh in a chain.
-- Copied forward on every rotation so the absolute-cap check in
-- RefreshJWT is O(1). Non-null only for refresh-token rows.
chain_started_at TIMESTAMPTZ,
consumed_at TIMESTAMPTZ,
attempts_remaining INTEGER,
created_at TIMESTAMPTZ NOT NULL,