jwt-refresh-token-rotation-must-be-atomic
Refresh token rotation (revoke old + issue new) must occur inside a single database transaction. Non-atomic rotation creates a race window where concurrent requests can consume the same refresh token twice, generating duplicate sessions or causing spurious logouts. The revocation record and the new token insert must commit together or not at all.
Related
- r-same-m1-identity-backend-core-wave-1-pass-1
- docker
- r-same-m1-identity-pass-2-admin-mfa-enroll-password-reset-re
- 2026-04-04-oracle-001-self-architecture-analysis
- alembic-ini-dev-db-url-triggers-secret-scanner
- alembic-ini-db-url-secret-scanner-catches-plaintext
- refresh-token-rotation-must-be-atomic-same-transaction