Skip to content

refactor(refresh): remove the legacy refresh-token fallback scan#72

Merged
Bccorb merged 1 commit into
mainfrom
feat/refresh-fallback-telemetry
Jul 7, 2026
Merged

refactor(refresh): remove the legacy refresh-token fallback scan#72
Bccorb merged 1 commit into
mainfrom
feat/refresh-fallback-telemetry

Conversation

@Bccorb

@Bccorb Bccorb commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Closes #18

Summary

Removes the legacy refresh-token fallback scan entirely (superseding the earlier telemetry approach).

findRefreshSessionByToken now resolves a session solely by its indexed refreshTokenLookup fingerprint and returns Session | null. The compatibility path that, on a lookup miss, loaded every pre-fingerprint session (Session.findAll({ refreshTokenLookup: null })) and bcrypt-compared each hash is gone, along with the RefreshSessionLookupResult wrapper and the now-unused compareSync import.

Why now

The refreshTokenLookup column was added months ago (migration 20260423150000-add-refresh-token-lookup). Any session created before it is far past the refresh-token TTL (1h by default), so no active session relies on the fallback. Removing it drops a full-table Session.findAll + per-row bcrypt on every lookup miss.

Behavior change

Sessions created before the refreshTokenLookup migration are no longer refreshable and must re-authenticate. As above, none should be active. The /refresh response shape and success path are unchanged.

Changes

  • src/services/sessionService.ts — simplify findRefreshSessionByToken to the indexed lookup; return Session | null; drop the interface and compareSync import.
  • src/controllers/authentication.ts — consume the plain session; remove the usedLegacyFallback / legacyFallbackCandidates handling.
  • Tests (unit/integration/e2e) updated to the new return type; the legacy-scan tests are removed and replaced with lookup hit/miss coverage.

Testing

Typecheck + lint clean; full suite green (495 passed). Rebased onto current main.

@codecov-commenter

codecov-commenter commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/controllers/authentication.ts 50.00% 0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

findRefreshSessionByToken now resolves sessions solely by their indexed
refreshTokenLookup fingerprint and returns Session | null. The legacy
compatibility path that scanned every pre-fingerprint session and
bcrypt-compared each hash on a lookup miss is removed, along with the
RefreshSessionLookupResult wrapper and its per-request Session.findAll
scan. The refresh controller and tests are updated accordingly.

Sessions created before the refreshTokenLookup migration are no longer
refreshable and must re-authenticate; those are well past the refresh
token TTL, so no active sessions are affected.

Closes #18
@Bccorb Bccorb force-pushed the feat/refresh-fallback-telemetry branch from 883d99d to 7d89315 Compare July 7, 2026 23:23
@Bccorb Bccorb changed the title feat(refresh): emit telemetry when the legacy refresh fallback is used refactor(refresh): remove the legacy refresh-token fallback scan Jul 7, 2026
@Bccorb Bccorb merged commit 0c6d1b0 into main Jul 7, 2026
2 of 3 checks passed
@Bccorb Bccorb deleted the feat/refresh-fallback-telemetry branch July 7, 2026 23:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: Plan removal of legacy refresh-token fallback scans

2 participants