Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Old tokens still work after refreshing then token

See original GitHub issue

I tested the with-localstorage example, which uses request header st-cookie instead of cookie. I tested it with Postman, successfully signup and login, and refresh token. After refresing token, I got new accessToken, new refreshToken, new IdRefreshToken, the old tokens(including accessToken, refreshToken) still work. Is that supposed to be still valid after refreshing tokens?

Issue Analytics

State:
Created 10 months ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

leoujzcommented, Nov 18, 2022

agree, it works, thanks very much. After using new tokens to get sessioninfo, I use old tokens to refresh the token and get empty tokens back, then all tokens are invalidated, that’s really great.

0reactions

rishabhpoddarcommented, Nov 17, 2022

not really. If you invalidate the old one, and if that doesn’t reach the frontend (cause of some network issue), then the user will be logged out. Instead, we invalidate the old one only when the new access token or the new refresh token is used. In this case, we also invalidate the other “sibling” refresh token that was generated