Mercury

Threads

JB
You

Refactor the auth middleware to support refresh-token rotation, and show me the diff before applying.

M
Mercury · gpt-class agent

On it. I'll rotate refresh tokens on each use and invalidate the prior token server-side. Inspecting the current middleware first.

Read auth/middleware.ts 
export async function requireAuth(req, res, next){
  const token = readBearer(req)
  const claims = verify(token)        // ← no rotation today
  req.user = claims.sub
  next()
}

Now drafting the rotation logic and a backing store for the token family

thinking · 14s

No agents configured yet

Spin up a specialised agent — give it a model, tools, and a system prompt. It'll show up here, ready to run.

Loading review…

Review

2 files
auth/middleware.ts+12 −3
12 export async function requireAuth(req, res, next){
13- const claims = verify(token)
13+ const claims = verify(token)
14+ await rotateRefresh(claims.fam, token)
15+ res.setHeader('x-token-rotated', '1')
16 req.user = claims.sub
auth/token-store.ts+28 new
1+ const families = new Map()
2+ export async function rotateRefresh(fam, prev){
3+ families.get(fam)?.revoke(prev)
4+ }
Generated 2 artifacts · 0 conflicts
Buttons · spring + sheen
Status · glow
Running Awaiting Indexed
Skeleton · shimmer
Floating · glass
Changes applied
2 files written · rotation enabled