Author: Heesun Lee

Last updated: Aug 19, 2025

Intro: core features/terminologies

• accessToken: short-lived token (~= 15m). keeps exposure low if it leaks

  export type AccessPayload  = JWTPayload & { sub: string; type: 'access'; role: Role };
  
  

• refreshToken: long-lived token (~= 7d). stored in HttpOnly cookie, so not exposed to JS

  → used to re-issue access silently

  export type RefreshPayload = JWTPayload & { sub: string; type: 'refresh'; jti: string; role?: Role };
  
  

• Session table with jti

  • jti: JWT(JSON Web Token) ID. unique identifier string attached to each token.

    const jti = crypto.randomUUID();
    
    

  • session table with jti allows server-side invalidation → logout, password reset, or force revoke.

  • revokedAt: DateTime?: soft-revoke timestamp. When set, the refresh session is invalid even if expiresAt is in the future (used on rotation & logout).

• Cookie Storage: HttpOnly + Secure + SameSite

  • Prevents XSS (Cross-site scripting) access, reduces CSRF (Cross-Site Request Forgery).

• Token rotation : issuing a new refresh token each time and revoking the old one

  • Each refresh use → issue new access + new refresh
  • Old refresh is revoked in session table
  • Protects against replay attacks

Example: Login route

1. User login verified
2. Issue access + refresh
3. Save refresh.jti in session table
4. Set cookies (HttpOnly, Secure, SameSite)

Use-case: profile page

1. Client requests /profile
2. middleware runs a cheap check
   • Why need it?
     • Verify access token only
     • Block unauthorized fast (before DB call, lower cost, better UX)
     • Example: /admin → deny if no role: ADMIN