bayu

    bayu

    5 months ago
    hi all, I've read this article https://supertokens.com/blog/the-best-way-to-securely-manage-user-sessions but I still curious about Notes For Implementation no.4: 4. Detection of refresh token theft does not require the database to explicitly store invalidated tokens. This can be achieved through structuring the refresh tokens using parent-child hierarchies (see Github implementation). can anyone explain about this
    parent-child hierarchies
    ? I've tried to find on github with no luck
    r

    rp

    5 months ago
    Hey!
    So all refresh tokens for a session have the session ID embedded in them (and they are signed too). So if the signature matches, and the session handle is in the db, then we can assume that we created the refresh token. If the refresh token itself is not in the db, and it’s not a child of the refresh token that’s in the db, it means this refresh token was previously used and exchanged for anew refresh token. Hence we can assume it’s stolen
    bayu

    bayu

    5 months ago
    so a new child refresh token have a "replacingParentRefreshTokenId" data? if its signature matches and the parent currently on the db then we can assume the new child refresh token is authentic? in short, we just need to store the parent refresh token? user can generate new multiple child refresh token, but once one of them used to get new access token, its parent refresh token is replaced?
    r

    rp

    5 months ago
    Yes. Exactly. And then the child becomes the parent for new refresh tokens.
    bayu

    bayu

    5 months ago
    ahh I see, Thank you so much for your explanation! 😀
    r

    rp

    5 months ago
    Are you implementing this on your own? Or just curious?
    And are you using supertokens?
    bayu

    bayu

    5 months ago
    yeahh I curious and want to try implement this on my own just to learning.
    I read and learn a lot article by supertokens, i interested but still want to know how supertokens work inside
    thank you so much!
    r

    rp

    5 months ago
    Fair! Our code is open source too. So that could help
    bayu

    bayu

    5 months ago
    wow its help so much, i've explored the java code but im lost XD. didn't know all explained well on the wiki. thank you!