Class: RefreshTokenManager
Defined in: src/auth/session/refresh-token-manager.ts:207
Refresh token manager implementation.
Remarks
Provides secure refresh token lifecycle management with:
- Cryptographically secure token generation (256-bit)
- Token family tracking for rotation
- Replay attack detection and mitigation
When token reuse is detected (replay attack), the entire token family is revoked to prevent further abuse.
Example
const refreshManager = new RefreshTokenManager({
redis,
logger,
});
// Create initial refresh token
const { token, hash } = await refreshManager.createToken(
sessionId,
'did:plc:abc123'
);
// Rotate on refresh
const { data, newToken } = await refreshManager.rotateToken(token);
Constructors
new RefreshTokenManager()
new RefreshTokenManager(
options):RefreshTokenManager
Defined in: src/auth/session/refresh-token-manager.ts:217
Creates a new RefreshTokenManager.
Parameters
options
Manager options
Returns
Methods
createToken()
createToken(
sessionId,did,familyId?,generation?):Promise<RefreshToken>
Defined in: src/auth/session/refresh-token-manager.ts:232
Creates a new refresh token for a session.
Parameters
sessionId
string
Associated session ID
did
User's DID
familyId?
string
Optional family ID (creates new family if not provided)
generation?
number = 1
Token generation number (default 1)
Returns
Promise<RefreshToken>
Created refresh token with metadata
revokeFamilyTokens()
revokeFamilyTokens(
familyId):Promise<void>
Defined in: src/auth/session/refresh-token-manager.ts:424
Revokes all tokens in a family.
Parameters
familyId
string
Token family ID
Returns
Promise<void>
Remarks
Used when token reuse is detected to prevent further abuse.
revokeSessionTokens()
revokeSessionTokens(
sessionId):Promise<void>
Defined in: src/auth/session/refresh-token-manager.ts:452
Revokes all refresh tokens for a session.
Parameters
sessionId
string
Session ID
Returns
Promise<void>
revokeToken()
revokeToken(
token):Promise<void>
Defined in: src/auth/session/refresh-token-manager.ts:398
Revokes a specific refresh token.
Parameters
token
string
The refresh token to revoke
Returns
Promise<void>
rotateToken()
rotateToken(
token):Promise<{data:RefreshTokenData;newToken:RefreshToken; }>
Defined in: src/auth/session/refresh-token-manager.ts:344
Rotates a refresh token.
Parameters
token
string
The current refresh token
Returns
Promise<{ data: RefreshTokenData; newToken: RefreshToken; }>
Token data and new token
Remarks
Marks the current token as used and creates a new token in the same family with incremented generation.
Throws
RefreshTokenError if rotation fails
validateToken()
validateToken(
token):Promise<RefreshTokenData>
Defined in: src/auth/session/refresh-token-manager.ts:283
Validates a refresh token.
Parameters
token
string
The refresh token string
Returns
Promise<RefreshTokenData>
Token data if valid
Throws
RefreshTokenError if token is invalid, expired, or reused