hi all, I've read this article https://supertokens...
# generalu
._.kp
04/10/2022, 9:06 AMhi all, I've read this article https://supertokens.com/blog/the-best-way-to-securely-manage-user-sessions
but I still curious about Notes For Implementation no.4:
4. Detection of refresh token theft does not require the database to explicitly store invalidated tokens. This can be achieved through structuring the refresh tokens using parent-child hierarchies (see Github implementation).
can anyone explain about this
parent-child hierarchiesr
rp_st
04/10/2022, 9:08 AMHey!
rp_st
04/10/2022, 9:10 AMSo all refresh tokens for a session have the session ID embedded in them (and they are signed too). So if the signature matches, and the session handle is in the db, then we can assume that we created the refresh token. If the refresh token itself is not in the db, and it’s not a child of the refresh token that’s in the db, it means this refresh token was previously used and exchanged for anew refresh token. Hence we can assume it’s stolen
u
._.kp
04/10/2022, 9:24 AMso a new child refresh token have a "replacingParentRefreshTokenId" data? if its signature matches and the parent currently on the db then we can assume the new child refresh token is authentic?
in short, we just need to store the parent refresh token?
user can generate new multiple child refresh token, but once one of them used to get new access token, its parent refresh token is replaced?
r
rp_st
04/10/2022, 9:25 AMYes. Exactly. And then the child becomes the parent for new refresh tokens.
u
._.kp
04/10/2022, 9:28 AMahh I see, Thank you so much for your explanation! 😀
r
rp_st
04/10/2022, 9:28 AMAre you implementing this on your own? Or just curious?
rp_st
04/10/2022, 9:28 AMAnd are you using supertokens?
u
._.kp
04/10/2022, 9:32 AMyeahh I curious and want to try implement this on my own just to learning.
._.kp
04/10/2022, 9:34 AMI read and learn a lot article by supertokens, i interested but still want to know how supertokens work inside
._.kp
04/10/2022, 9:34 AMthank you so much!
r
rp_st
04/10/2022, 9:35 AMFair! Our code is open source too. So that could help
rp_st
04/10/2022, 9:36 AMu
._.kp
04/10/2022, 9:39 AMwow its help so much, i've explored the java code but im lost XD. didn't know all explained well on the wiki. thank you!
2 Views