Context
The current refresh token mechanism works, but it still lacks rotation, revocation, and an explicit backend logout flow. That is acceptable for the MVP, but further admin panel work will be safer and easier if the session lifecycle is tightened up now.
Task checklist
- design a way to store / revoke refresh tokens
- add refresh token rotation during session refresh
- add a logout endpoint that revokes the active refresh token
- handle refresh token reuse after revocation
- update the API contract for the frontend
- add integration tests for refresh, logout, and token revocation
- document the architectural decision in docs or an ADR if needed
Dependencies
- after
#49 Auth service + router
- ideally before full frontend sync/offline support is implemented
Context
The current refresh token mechanism works, but it still lacks rotation, revocation, and an explicit backend logout flow. That is acceptable for the MVP, but further admin panel work will be safer and easier if the session lifecycle is tightened up now.
Task checklist
Dependencies
#49Auth service + router