Skip to content

New v4.15.0 created automatically from CircleCI#147

Merged
MikeDev75015 merged 3 commits into
mainfrom
develop
May 31, 2026
Merged

New v4.15.0 created automatically from CircleCI#147
MikeDev75015 merged 3 commits into
mainfrom
develop

Conversation

@MikeDev75015

Copy link
Copy Markdown
Owner
  • feat(auth): add grace window, rotate=false, and atomic CAS rotation for refresh tokens
    Add reuseWindowMs and rotate options to DynamicApiRefreshTokenOptions.

    • reuseWindowMs: grace window in ms — the superseded jti is accepted
      within this period and returns the cached token pair, preventing
      false-positive 401s on concurrent multi-tab / multi-device bursts.
    • rotate: false — persistent-token mode; validates the stored hash on
      each call without rotating it; server-side revocation via logout
      still works.
    • Atomic rotation via findOneAndUpdate (compare-and-swap on stored
      raw value) — eliminates the race condition between concurrent
      read-then-write operations; CAS misses fall back to the grace window.
    • Changed storage format from plain bcrypt hash to JSON RefreshTokenRecord
      ({ currentHash, previousHash?, rotatedAt?, cachedTokens? });
      backward-compatible with existing plain-hash values.

    Unit tests: 86 passing, 98.93% branch coverage.
    E2E tests: 14 passing (grace window burst, rotate=false multi-use,
    revocation after rotate=false, grace window expiry).

  • refactor(auth): reduce cognitive complexity of refreshToken from 24 to ~6
    Extract 4 private helpers to flatten the refreshToken method:

    • extractIncomingJti: decodes rawToken and returns the jti claim
    • handleInvalidCurrentJti: grace-window check + throw on invalid current jti
    • rotateCasOrThrow: atomic CAS rotation, delegates CAS miss to handleCasMiss
    • handleCasMiss: re-read + grace-window check after concurrent rotation

    All existing tests pass (97). New unit tests added for each helper.
    Coverage: 100% stmt/lines/fn on base-auth.service.ts.

  • chore(release): 4.15.0

Mickael N. and others added 3 commits May 31, 2026 18:25
…or refresh tokens

Add reuseWindowMs and rotate options to DynamicApiRefreshTokenOptions.

- reuseWindowMs: grace window in ms — the superseded jti is accepted
  within this period and returns the cached token pair, preventing
  false-positive 401s on concurrent multi-tab / multi-device bursts.
- rotate: false — persistent-token mode; validates the stored hash on
  each call without rotating it; server-side revocation via logout
  still works.
- Atomic rotation via findOneAndUpdate (compare-and-swap on stored
  raw value) — eliminates the race condition between concurrent
  read-then-write operations; CAS misses fall back to the grace window.
- Changed storage format from plain bcrypt hash to JSON RefreshTokenRecord
  ({ currentHash, previousHash?, rotatedAt?, cachedTokens? });
  backward-compatible with existing plain-hash values.

Unit tests: 86 passing, 98.93% branch coverage.
E2E tests: 14 passing (grace window burst, rotate=false multi-use,
  revocation after rotate=false, grace window expiry).
…o ~6

Extract 4 private helpers to flatten the refreshToken method:
- extractIncomingJti: decodes rawToken and returns the jti claim
- handleInvalidCurrentJti: grace-window check + throw on invalid current jti
- rotateCasOrThrow: atomic CAS rotation, delegates CAS miss to handleCasMiss
- handleCasMiss: re-read + grace-window check after concurrent rotation

All existing tests pass (97). New unit tests added for each helper.
Coverage: 100% stmt/lines/fn on base-auth.service.ts.
Copilot AI review requested due to automatic review settings May 31, 2026 16:47
@sonarqubecloud

Copy link
Copy Markdown

@MikeDev75015 MikeDev75015 merged commit d5b46ec into main May 31, 2026
7 of 9 checks passed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants