nova_auth_refresh (nova_auth v0.2.0)

View Source

Short-lived access tokens paired with rotating refresh tokens.

generate_pair/2 issues an access token (validated for access_token_validity_minutes) and a refresh token (valid for refresh_token_validity_days). The refresh token is single-use: refresh/2 rotates it, marking the old one used and issuing a fresh access+refresh pair in the same family_id. Presenting an already-used refresh token is treated as theft — the whole family is revoked (reuse_detected).

Requires the configured token_schema to have family_id (string) and used_at (utc_datetime) fields in addition to the session-token fields. Tokens are stored hashed via nova_auth_token.

Summary

Functions

Delete a single access token (logout of one device).

Issue a fresh access + refresh token pair for a user.

Resolve the user for a raw access token, honoring the access TTL.

Rotate a refresh token: on success returns a new access+refresh pair and marks the presented one used. A reused (already-rotated) token revokes the family.

Revoke ALL tokens for a user (e.g. on ban or global logout).

Revoke the refresh-token family that a raw refresh token belongs to.

Types

tokens()

-type tokens() :: #{access_token := binary(), refresh_token := binary()}.

Functions

delete_access_token/2

-spec delete_access_token(module(), binary()) -> ok.

Delete a single access token (logout of one device).

generate_pair(AuthMod, User)

-spec generate_pair(module(), map()) -> {ok, tokens()} | {error, term()}.

Issue a fresh access + refresh token pair for a user.

get_user_by_access_token/2

-spec get_user_by_access_token(module(), binary()) -> {ok, map()} | {error, term()}.

Resolve the user for a raw access token, honoring the access TTL.

refresh/2

-spec refresh(module(), binary()) -> {ok, tokens()} | {error, term()}.

Rotate a refresh token: on success returns a new access+refresh pair and marks the presented one used. A reused (already-rotated) token revokes the family.

revoke_all(AuthMod, UserId)

-spec revoke_all(module(), term()) -> ok.

Revoke ALL tokens for a user (e.g. on ban or global logout).

revoke_family/2

-spec revoke_family(module(), binary()) -> ok.

Revoke the refresh-token family that a raw refresh token belongs to.