From 74180d02e60be680225bf0bc21a1d481e4de24d0 Mon Sep 17 00:00:00 2001 From: Uyoxy Date: Mon, 29 Jun 2026 21:32:40 +0000 Subject: [PATCH] feat: refresh token rotation, admin scopes, Redis cache, history a11y MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #214 – Add refresh token rotation for JWT sessions - Issue short-lived access tokens (15 min) + long-lived refresh tokens (7 days) - Store refresh token hash in Session table (bcrypt, single-use) - POST /api/auth/refresh rotates pair; old token invalidated immediately - Logout deletes session row, nullifying the refresh token hash - Prisma migration: refreshTokenHash, refreshTokenExpiresAt on sessions - REFRESH_TOKEN_SECRET + REFRESH_TOKEN_TTL documented in .env.example #215 – Add per-key permission scoping for admin API keys - ADMIN_SCOPES enum: read | write | wallet | agent | super - requireAdminScope(scope) middleware factory; super implicitly grants all - Scope-mismatch failures written to AdminAuditLog with route + reason - 403 response includes human-readable reason field - validateScopesInput() for use in key-creation endpoint #213 – Add Redis caching layer for protocol rates and portfolio snapshots - ioredis client initialised in src/config/redis.ts, exported app-wide - Protocol rates cached per network with configurable TTL (default 60 s) - Portfolio snapshots cached per user; invalidatePortfolioSnapshot() for deposit/withdraw mutations - cache_hits_total + cache_misses_total Prometheus counters on /metrics - REDIS_URL + TTL vars documented in .env.example #352 – Improve transaction history filter and pagination accessibility - FilterBar: all controls have explicit