Token-based auth — bearer + refresh-token flow for native clients #180
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#180
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Extend the existing cookie-session auth to also issue bearer tokens with refresh rotation, so the native (Android, Linux Flatpak) clients can authenticate against a self-hoster's deployment.
The web Expo build keeps the existing same-origin cookie flow. Native gets bearer tokens stored in secure storage. ADR-0015 (OAuth2 + linking) and ADR-0004 (server-side sessions) both stay — this ticket layers tokens on top.
Scope
POST /api/auth/tokenaccepting local credentials or an OAuth2 callback.POST /api/auth/refreshwith rotation and reuse detection — a refresh token used twice revokes the whole token family.Authorization: Bearer <token>as an accepted credential alongside the session cookie. The session layer resolves either to the sameUser.SecureStore); reference it in the Expo scaffolding ticket.bearerAuth.Acceptance criteria
POST /api/auth/tokenandPOST /api/auth/refreshexist, are zod-typed, and round-trip on both DB engines.Userand is subject to identical per-user isolation as a cookie-authenticated one.cookieAuthandbearerAuth.Out of scope
Composes with
ADR-0004, ADR-0015, ADR-0021, Expo client scaffolding, OpenAPI spec generation.
Part of
#176