Package vaultWeb.services.auth

Class RefreshTokenService

java.lang.Object
vaultWeb.services.auth.RefreshTokenService
@Service public class RefreshTokenService extends Object

  • Constructor Details

    • RefreshTokenService

      public RefreshTokenService()

  • Method Details

    • create

      public void create(User user, jakarta.servlet.http.HttpServletResponse response)
      Creates and issues a new refresh token for the given user.

      Session model:

      This implementation enforces a single active session per user. Whenever a new refresh token is issued, all previously issued refresh tokens for the user are revoked. This design prioritizes security over multi-device support by preventing concurrent sessions.

      Workflow:

      1. Revokes all existing refresh tokens associated with the user to ensure only one active refresh token exists per user/session.
      2. Generates a unique token identifier (jti) for the new refresh token.
      3. Creates a signed refresh token JWT containing the user identifier and the generated jti.
      4. Computes a one-way SHA-256 hash of the refresh token and stores it in the database instead of storing the token in plaintext.
      5. Persists the refresh token metadata (jti, hash, user, expiration, and revocation status) in the database.
      6. Sends the refresh token to the client as a secure, HttpOnly cookie.

      Security considerations:

      • Refresh tokens are JWTs signed with a dedicated refresh signing key.
      • The refresh token itself is never stored in plaintext; only a SHA-256 hash is persisted.
      • Revoking existing tokens prevents reuse and enforces refresh token rotation semantics.
      • The refresh token cookie is marked HttpOnly and Secure to mitigate XSS and man-in-the-middle attacks.
      Parameters:
      user - the authenticated user for whom the refresh token is issued
      response - the HTTP response used to attach the refresh token cookie