feat: rotating refresh tokens for player auth#145
Merged
Conversation
Replace the single opaque session token with a short-lived access token (60m) paired with a rotating refresh token (30d), backed by nova_auth_refresh (nova_auth 0.2.0). Refresh tokens are single-use with reuse detection: replaying a rotated token burns the whole family. - bump nova_auth ~> 0.2 (0.2.0); nova_auth_oidc 0.1.3 (pairs with 0.2.0, adds the iss-claim validation fix) - player_tokens: add family_id + used_at (+ index); migration adds columns - asobi_auth: token_schema now carries family_id/used_at (TTLs use nova_auth defaults: 60 min access / 30 day refresh) - asobi_auth_tokens: shared issue/2,3 and revoke_access/1 - controllers: register/login/oauth issue access+refresh pairs; refresh rotates; new POST /api/v1/auth/logout revokes the family + access token - auth cache resolves via get_user_by_access_token - dialyzer: fix asobi_oidc_config spec (oidc_config/0 never existed -> map()) and add nova_auth/nova_auth_oidc to plt_extra_apps - tests: migrate suites to access_token; add reuse-detection + logout tests The client response shape changes from `session_token` to `access_token` + `refresh_token`; SDKs must persist the refresh token and rotate on 401.
1cb607c to
69270af
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Wires the published nova_auth 0.2.0 rotating-refresh-token model into asobi's player auth, replacing the single opaque session token.
What changes
session_token. Refresh tokens are single-use; replaying a rotated one is treated as theft and burns the whole token family (reuse_detected).POST /api/v1/auth/refreshnow takes{"refresh_token": ...}and returns a fresh pair.POST /api/v1/auth/logout(new): revokes the refresh family and deletes the presented access token.player_tokensgainsfamily_id+used_at(+ index); migrationm20260701130000_add_refresh_token_columnsadds the columns (firstalter_tablemigration in the repo).nova_auth_refresh:get_user_by_access_token/2; the existing ban gate (ensure_active/is_banned) is preserved.nova_auth ~> 0.2(0.2.0);nova_auth_oidc0.1.3 (the version built against nova_auth 0.2.0; also carries theiss-claim validation fix).asobi_oidc_configspec (nova_auth_oidc:oidc_config/0never existed →map()) and addednova_auth/nova_auth_oidctoplt_extra_apps.The auth response shape changes:
session_token→access_token+refresh_token. Clients must store the refresh token and call/auth/refresh(rotating it) on a 401, then/auth/logoutto end a session. All game SDKs (dart/js/unity/unreal/godot/defold) need updating to match — tracked as the next step.Tests
access_token.refresh_reuse_detectedandlogout_revokes_familyHTTP tests toasobi_api_SUITE.compile/as test compile,xref, cache eunit 6/6, anddialyzerclean. CT suites run against Postgres in CI.