I managed to implement authentication with jwt tokens based on access token, refresh token and RTR (refresh token rotation). It simply follows all the rules:
- Tokens are signed JWT-s with both having their own secret (one for access, one for refresh)
- Tokens are set in httpOnly cookies with secure option so XSS and Man-in-middle are prevented
- Refresh token has set path only to endpoint for refreshing tokens so it is not send on every request
- RTR is enabled and on every refresh, refresh token is blacklisted in db and new access and refresh tokens are send back
- CSRF tokens are used on routes that insert/delete/update db to prevent attacks
Now only problem I see is what to do when someone steals refresh token. If someone actually steals it, he can send it to my refresh endpoint and he will then blacklist that stolen token and get himself new pair of valid tokens that can use indefinitely. Since I don't want to keep track of sessions and users (that is why I use stateless authentication). How can I detect stolen refresh token? Should I keep track somehow of refresh tokens in db? How can someone even steal refresh token?
