refresh-token-rotation-must-be-atomic-same-transaction

JWT refresh token rotation must execute as a single DB transaction: revoke the old opaque refresh token and insert the new one atomically. If the old token is revoked before the new one commits, a server error leaves the user permanently logged out. The R-Same implementation stores SHA256-hashed refresh tokens in the sessions table and rotates within one SQLAlchemy transaction.

Related

• r-same-m1-identity-backend-core-wave-1-pass-1
• jwt-refresh-token-rotation-must-be-atomic
• docker
• r-same-m1-identity-pass-2-admin-mfa-enroll-password-reset-re
• r-same-azure-ad-sso-deferred-local-auth-v1