refresh-token-rotation-must-be-atomic-same-transaction

Refresh token rotation (revoke old + issue new) must occur in a single DB transaction to prevent race conditions where two simultaneous refresh requests both succeed. In R-Same’s SessionService, the old refresh token is revoked and the new one is written in one transaction. Any refactor to async or queue-based session management must preserve this atomicity guarantee.

Related

• jwt-refresh-token-rotation-must-be-atomic
• r-same-m1-identity-backend-core-wave-1-pass-1
• rbac-rls-must-enforce-at-query-execution-not-ui
• r-same-auth-constant-time-generic-errors-required
• azure-ad-sso-deferred-local-auth-is-v1