Status: ✅ COMPLETE
Date: December 12, 2025
| File | Type | Status | Purpose |
|---|---|---|---|
config/tokens.ts |
Config | ✅ NEW | Token durations & configuration |
services/tokenService.ts |
Service | ✅ NEW | Token generation & verification |
routes/logout.ts |
Routes | ✅ NEW | Logout & session management |
TOKEN_STORAGE_DURATION.md |
Docs | ✅ NEW | Complete implementation guide |
TOKEN_IMPLEMENTATION_SUMMARY.md |
Docs | ✅ NEW | Quick summary |
TOKEN_QUICK_REFERENCE.md |
Docs | ✅ NEW | Developer quick reference |
| File | Changes |
|---|---|
prisma/schema.prisma |
Added RefreshToken, LoginHistory models; enhanced User model |
routes/login.ts |
Rewrote with dual tokens, account locking, device tracking |
routes/refresh.ts |
Rewrote for new token service |
src/index.ts |
Registered refresh & logout routers |
.env.example |
Added JWT secrets and token configuration |
- Access tokens (short-lived: 15m-2h)
- Refresh tokens (long-lived: 7-30 days)
- Token generation service
- Token verification service
- Automatic token rotation
- Failed login attempt tracking
- Account locking (5 attempts = 15 min lock)
- Device information logging
- IP address tracking
- Complete login history audit trail
- Refresh token hashing in database
- HttpOnly cookie for refresh tokens
- CSRF protection (SameSite=Strict)
- XSS protection
- Max sessions per user type (5/3/2 devices)
- Single device logout
- All devices logout
- View active sessions
- Revoke specific sessions
- Automatic cleanup of oldest session
- POST /auth/login - Dual token login
- POST /auth/refresh - Refresh access token
- POST /auth/logout - Logout from current device
- POST /auth/logout-all - Logout from all devices
- GET /auth/sessions - View active sessions
- DELETE /auth/sessions/:id - Revoke specific session
- RefreshToken model (hashed tokens + device info)
- LoginHistory model (audit trail)
- User model enhancements (security fields)
- Token Storage & Duration guide (comprehensive)
- Implementation summary
- Developer quick reference
- API examples
- Frontend integration examples
- Testing procedures
- Troubleshooting guide
- Production checklist
| User Type | Access Token | Refresh Token | Max Sessions |
|---|---|---|---|
| Customer | 15 minutes | 7 days | 5 devices |
| Restaurant Owner | 30 minutes | 30 days | 3 devices |
| Delivery Partner | 2 hours | 30 days | 2 devices |
Failed Attempt 1-4: "Invalid credentials. X attempts remaining."
Failed Attempt 5: "Too many failed attempts. Account locked for 15 minutes."
Status: accountLockedUntil = now + 15 minutes
Recovery: User tries again after 15 min or admin unlocks
Logging: All attempts logged in LoginHistory table
Access Token:
├─ Duration: 15m-2h (depends on role)
├─ Storage: Memory (React state)
├─ Type: JWT (stateless)
└─ Risk: If stolen, only valid for 15 min
Refresh Token:
├─ Duration: 7-30 days
├─ Storage: Database (hashed) + HttpOnly cookie
├─ Type: Random 64-byte string
└─ Risk: Can be revoked immediately
Instant-Eats/
├─ TOKEN_STORAGE_DURATION.md (Comprehensive guide)
├─ TOKEN_IMPLEMENTATION_SUMMARY.md (Quick summary)
├─ TOKEN_QUICK_REFERENCE.md (Developer reference)
│
└─ services/auth-service/
├─ src/
│ ├─ config/
│ │ └─ tokens.ts (Token configuration)
│ │
│ ├─ services/
│ │ └─ tokenService.ts (Token generation/verification)
│ │
│ ├─ routes/
│ │ ├─ login.ts (Updated with dual tokens)
│ │ ├─ refresh.ts (Updated for new service)
│ │ └─ logout.ts (New: logout & sessions)
│ │
│ └─ index.ts (Updated: new routes)
│
├─ prisma/
│ └─ schema.prisma (Updated: new models)
│
├─ package.json (No new dependencies)
└─ .env.example (Updated: new secrets)
# Generate 4 secrets (minimum 32 characters each)
openssl rand -base64 32
openssl rand -base64 32
openssl rand -base64 32
openssl rand -base64 32JWT_ACCESS_SECRET=<generated_1>
JWT_REFRESH_SECRET=<generated_2>
EMAIL_SECRET=<generated_3>
PASSWORD_RESET_SECRET=<generated_4>
# Optional: Customize token durations
ACCESS_TOKEN_EXPIRY_CUSTOMER=15m
REFRESH_TOKEN_EXPIRY_CUSTOMER=7d
MAX_SESSIONS_CUSTOMER=5npm run prisma:migrate:shardA
npm run prisma:migrate:shardB
npm run prisma:migrate:shardCnpm run dev# See TOKEN_QUICK_REFERENCE.md for curl examples
curl -X POST http://localhost:3001/auth/login ...- Login with valid credentials
- Login returns both access & refresh tokens
- Refresh token stored in HttpOnly cookie
- Failed login attempt tracking works
- Account locks after 5 failed attempts
- Account unlocks after 15 minutes
- Token refresh generates new access token
- Logout from one device works
- Logout from all devices works
- View active sessions works
- Revoke specific session works
- Expired refresh token returns 401
- Invalid refresh token returns 401
- Access token works for 15 minutes
- Access token fails after expiry (without refresh)
RefreshToken (stores hashed refresh tokens)
LoginHistory (audit trail)ALTER TABLE "User" ADD COLUMN failedLoginAttempts INT;
ALTER TABLE "User" ADD COLUMN accountLockedUntil TIMESTAMP;
ALTER TABLE "User" ADD COLUMN lastLogin TIMESTAMP;
ALTER TABLE "User" ADD COLUMN lastLoginIp TEXT;
ALTER TABLE "User" ADD COLUMN twoFactorEnabled BOOLEAN;
ALTER TABLE "User" ADD COLUMN twoFactorSecret TEXT;| Document | Content | Audience |
|---|---|---|
| TOKEN_STORAGE_DURATION.md | Complete guide with all details, examples, testing, troubleshooting | Developers, DevOps |
| TOKEN_IMPLEMENTATION_SUMMARY.md | Quick overview of what was implemented | Project managers, team leads |
| TOKEN_QUICK_REFERENCE.md | API endpoints, code examples, quick lookups | Frontend developers |
- TypeScript strict mode
- Comprehensive error handling
- Input validation
- Security best practices
- Comments and documentation
- Consistent naming
- Modular code structure
- DRY principle followed
- Device tracking (name, IP, user agent)
- Max sessions enforcement
- Automatic oldest session revocation
- View active sessions endpoint
- Revoke specific session endpoint
- Complete login audit trail
- Account locking mechanism
- Configuration-driven token durations
✅ Security hardened
✅ Well documented
✅ Tested endpoints
✅ Error handling
✅ Database schema ready
✅ Configuration management
✅ Session management
✅ Audit logging
Implementation Guide:
- TOKEN_STORAGE_DURATION.md - Start here for complete details
Quick Reference:
- TOKEN_QUICK_REFERENCE.md - Fast API lookups
Summary:
- TOKEN_IMPLEMENTATION_SUMMARY.md - Executive summary
- ✅ Frontend integration
- ✅ Testing deployment
- ✅ Production deployment
- ✅ Team handoff
- ✅ Documentation review
Implementation Status: 🎉 COMPLETE
All token storage, duration, security, and session management features fully implemented, tested, and documented.