Security: Implement Session Token Rotation and Refresh Token Rotation

[Smartdevs17]

Context

Long-lived sessions increase the window of vulnerability if tokens are stolen. Current session management uses static refresh tokens.

Current Limitation/Problem

Access tokens expire after 15 minutes but refresh tokens are long-lived (30 days) and not rotated. A stolen refresh token grants prolonged access. There is no refresh token rotation.

Expected Outcome

Implement refresh token rotation: each refresh request issues a new refresh token and invalidates the old one. Automatic revocation of compromised token families.

Acceptance Criteria

• Rotate refresh token on every refresh request
• Maintain token family tree for abuse detection
• Auto-revoke entire token family if a rotated token is reused (indicates theft)
• Configurable: absolute token lifetime (max 30 days), sliding expiration (max 7 days inactivity)
• Store token hashes (not raw tokens) in database
• Token revocation API and admin dashboard
• Audit log for all token operations
• Rate limit token refresh endpoint (5 requests/minute)
• NIST SP 800-63B compliant session management

Technical Scope

• backend/src/auth/token-rotation.ts - rotation logic
• backend/src/middleware/token-auth.ts - enhanced token validation
• Prisma: RefreshToken model with token family tracking
• Redis: token blacklist for immediate revocation
• Frontend: session management UI (active sessions, revoke)
• Edge cases: concurrent refresh requests (race condition), token family replay detection

[vjuliaife]

@vjuliaife has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi, i would like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @vjuliaife to this issue.

[drips-wave]

Congratulations, @vjuliaife! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @vjuliaife: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @vjuliaife as part of the Stellar Wave Program's 6th Wave 🥳

😎 @vjuliaife: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.