Refreshing is possible for deleted users

[cjhwang0222]

apologies for my broken English in advance.

while I'm developing a site, I happened to know that refreshing a pair of tokens is possible for deleted users once they keep refresh tokens.

steps what I've been through

1. create an account and get issued a pair of tokens.
2. keep the refresh token in a safe way (for me, I overrode some codes to issue the refresh token as a httponly cookies)
3. delete db then regenerate a new empty db.
4. the page where refreshing is processed returns a new pair of tokens.

When I reload the page, the refreshing process is NEVER denied, which could be abused especially when ROTATE_REFRESH_TOKEN=true

Though I'm using blacklist, since the refresh token is the latest refreshed one, it would never be rejected.

[Andrew-Chen-Wang]

In general, I think this is why it's going to remain defaulted as False in the settings. I think what you mentioned is a good justification for keeping it that way :) Perhaps a link to this issue from the docs would be great if you'd like to create a PR!

[cjhwang0222]

The biggest problem that I think is that such abusing can cause a sort of flood(?) in the blacklist db. So a solution(?) that I've thought out is to refresh the refresh token nearly due to the expiration. This process surely requires a decoding process which might take a bit more time.. but would it be matter? 😝

[Andrew-Chen-Wang]

There is a setting that does that for every refresh, so it's possible. But it won't really be helpful if a client refreshes after expiration.