Add Refresh Token & Expiring Access Token Authentication #20
Description
Currently, our authentication flow only uses a single long-lived JWT (access token), which may compromise security. This feature request aims to improve our authentication by:
Adding short-lived access tokens (e.g. 15 minutes)
Implementing refresh tokens (e.g. 7 days)
Creating a /refresh-token endpoint
Storing refresh tokens securely (in DB)
Creating a /logout route to revoke refresh tokens
Tasks:
Update .env with token expiry values
Modify User model to store refresh token
Issue both access and refresh tokens on login
Add /refresh-token endpoint to issue new access token
Add /logout endpoint to invalidate refresh token
Update auth middleware to check for expired tokens
Benefits
Improved security (short-lived access tokens)
Better user experience (no repeated logins)
Easy session management and logout support
Lays groundwork for token rotation or session invalidation