1. Critical Refresh Token Rotation Flaw Allows Token Reuse After Legitimate Rotation
A critical security vulnerability in the `POST /auth/refresh` endpoint fails to invalidate refresh tokens after rotation, allowing intercepted tokens to remain functional even after legitimate users have already rotated them. The flaw undermines the fundamental security guarantee of refresh token rotation—a mechanism d...