Refresh token rotation

[geolunalg]

Overview

User Story:
As a security-conscious system, I want refresh tokens rotated so stolen refresh tokens are less useful.

Action Items

Acceptance Criteria:

• On every successful refresh:
  • backend issues new refresh token and invalidates the previous one (server-side)
  • refresh token cookie is updated
• If an old refresh token is reused after rotation, backend detects reuse and revokes the session family.

Resources/Instructions

• This issue is part of the epic: EPIC: Authentication & Session Management (JWT + Refresh) #2065

[rteas]

Might be complex, possibly a nice to have

[geolunalg]

@JackHaeg @trillium @rteas

This is something we can ask other team members to look at.

This will required that when the cliend request a new access token, the refresh token is also update and the httpOnly cookie is also updated and return the client.

The current auth code should be in DEV before someone picks this up.

Size M to L (maybe closer to a Large)