VERSIONS:
Spring Boot version is 3.1.0
and
Java version 17
The server generates Two Tokens
1- access token: this token is with short time and is sent with every request
and we check that token that is sent in the request is an access token, not a refresh token
2- refresh token: this token is with a long time and if isn't expired we use this token to generate a new access token after the access is expired
if the hacker takes a refresh token we can revoke this refresh token from the database
then the hacker can't use this refresh token to generate a new access token
*Note if the hacker takes an access token this token will be expired in a short time
but the problem is to refresh the token if is stolen so we store the refresh token in the database
Users can make logout from the front end by deleting the access token and the refresh token from the storage , session, or cookies
why do we make a specific API for logout?
because when the user wants to make logout we revoke the refresh token from the database
this is for security to prevent anyone stole the refresh token before deleting it from the storage, session, or cookies to use it
if the user make login in another place we revoke the refresh token that the user has and generate a new refresh token for the new login then the user will be logout from the first place
**Note: in this code, we have this design but easily we can change this design