Skip to content

Bind refresh tokens to issuing client_id #80

New issue
New issue
Closed
#83
Closed
Bind refresh tokens to issuing client_id#80
#83
Labels
security:highHigh severity security issue
@markwylde

Description

@markwylde
markwylde
opened on Feb 15, 2026

Summary

Refresh tokens are not bound to the client that originally received them.

Evidence

  • Session storage lacks client_id binding for refresh token ownership.
  • packages/api/src/controllers/user/token.ts refresh flow accepts supplied client_id without enforcing original issuing client match.

Security Impact

A stolen refresh token issued to one client can be replayed by another valid client, enabling cross-client token swapping.

Required Fix

  • Persist issuing client_id with session/refresh token records.
  • On refresh, require authenticated client to match stored client identity.
  • Reject mismatched client refresh attempts.

Acceptance Criteria

  • Refresh token records include issuing client_id.
  • Refresh succeeds only for original client.
  • Tests validate mismatch rejection paths.

Source

Security Review dated 2026-02-15, Finding 4 (High).

Metadata

Metadata

Assignees

No one assigned

    Labels

    security:highHigh severity security issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions