Decode and validate a refresh JWT token. SECURITY: Always requires expiration claim for refresh tokens. Dev mode does not affect refresh token validation.
(token: str)
| 252 | |
| 253 | |
| 254 | def decode_refresh_token(token: str) -> Optional[dict]: |
| 255 | """ |
| 256 | Decode and validate a refresh JWT token. |
| 257 | |
| 258 | SECURITY: Always requires expiration claim for refresh tokens. |
| 259 | Dev mode does not affect refresh token validation. |
| 260 | """ |
| 261 | try: |
| 262 | # SECURITY: Always verify expiration for refresh tokens |
| 263 | decode_options = {"require": ["exp", "sub"]} |
| 264 | |
| 265 | payload = jwt.decode( |
| 266 | token, |
| 267 | JWT_SECRET_KEY, |
| 268 | algorithms=[ALGORITHM], |
| 269 | options=decode_options |
| 270 | ) |
| 271 | if payload.get("type") != "refresh": |
| 272 | return None |
| 273 | return payload |
| 274 | except PyJWTError: |
| 275 | return None |
| 276 | |
| 277 | |
| 278 | def _mark_refresh_jti_used(user_id: int, jti: str) -> bool: |