Create a JWT refresh token. Always sets ``exp``, ``iat`` and a random ``jti``. ``iat`` is required for logout/password-change revocation to apply to refresh tokens; ``jti`` enables one-time-use rotation with replay detection.
(data: dict, expires_delta: timedelta | None = None)
| 162 | |
| 163 | |
| 164 | def create_refresh_token(data: dict, expires_delta: timedelta | None = None): |
| 165 | """ |
| 166 | Create a JWT refresh token. |
| 167 | |
| 168 | Always sets ``exp``, ``iat`` and a random ``jti``. ``iat`` is required |
| 169 | for logout/password-change revocation to apply to refresh tokens; |
| 170 | ``jti`` enables one-time-use rotation with replay detection. |
| 171 | """ |
| 172 | import secrets as _secrets |
| 173 | to_encode = data.copy() |
| 174 | now = datetime.now(timezone.utc) |
| 175 | if expires_delta: |
| 176 | expire = now + expires_delta |
| 177 | else: |
| 178 | expire = now + JWT_REFRESH_TOKEN_EXPIRES |
| 179 | to_encode.update({ |
| 180 | "exp": expire, |
| 181 | "iat": now, |
| 182 | "type": "refresh", |
| 183 | "jti": _secrets.token_urlsafe(16), |
| 184 | }) |
| 185 | encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM) |
| 186 | return encoded_jwt |
| 187 | |
| 188 | |
| 189 | def _get_revocation_redis_client(): |