AshAuthentication.
Copy Markdown
View Source
Change that rotates a refresh-token row atomically.
Attaches a filter expression โ is_nil(rotated_to_id) and is_nil(revoked_at)
โ to the changeset so the underlying UPDATE only matches a row that's
still valid AND unrotated AND unrevoked. The :rotated_to_id argument
is then written to the row.
A concurrent rotation race produces one winner; the loser's UPDATE
matches zero rows and the Token core treats it as :reuse, triggering
chain revocation per OAuth 2.1 ยง4.3.1.
Usage in your refresh-token resource:
update :rotate do
argument :rotated_to_id, :uuid_v7, allow_nil?: false
accept []
require_atomic? false
change AshAuthentication.Oauth2Server.Changes.RotateRefreshToken
end