Refresh Token Rotation Gap Allows Session Hijacking via Replay Attack

A critical authentication vulnerability has been identified in the refresh token implementation. The system's token rotation mechanism fails to detect when a refresh token has already been reused, creating a window where a stolen token could be weaponized to maintain unauthorized access to a legitimate user's session.

The flaw centers on the absence of token family tracking during rotation. When an attacker obtains a refresh token through theft or other means, they can successfully exchange it for a new access token—provided they act before the legitimate client completes its own rotation cycle. At that point, the system issues credentials to the attacker without invalidating the victim's ongoing session, effectively enabling parallel access to the same account. The current implementation rotates tokens but lacks the logic to recognize when a rotated token is presented a second time, which would signal that the token was compromised and is being replayed.

The proposed remediation involves implementing refresh token family tracking with a `family_id` UUID column to group tokens by issuance lineage. Under this model, any presentation of an already-rotated token would trigger automatic invalidation of the entire token family, forcing a complete logout. The acceptance criteria also call for a `refresh_token_reuse` audit event to log detection of reuse attempts. Comprehensive test coverage for this scenario remains pending, without which the vulnerability could persist undetected through future code changes. Organizations relying on this authentication flow face risk of persistent session compromise if a refresh token is exfiltrated.