V 01.03#3
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8df640d869
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (!string.IsNullOrWhiteSpace(storedToken.ReemplazadoPor)) | ||
| { | ||
| await RevokeSessionsAfterRefreshReuseAsync(storedToken, now, ipAddress, cancellationToken); |
There was a problem hiding this comment.
This branch revokes all active sessions every time the same already-revoked rotated token is presented, because ReemplazadoPor stays populated permanently and there is no "already handled" guard. In practice, anyone who captured one stale refresh token can keep replaying it until it expires and repeatedly invalidate newly issued sessions for that user (forced logout loop / persistent DoS). The revocation-on-reuse logic should run only on first detection for that token chain.
Useful? React with 👍 / 👎.
1 participant
New ubdate with better security