# Session: Auth Feature Implementation
**Date:** 2026-01-20
**Started:** 14:30
**Last Updated:** 17:45

---

## Current State

Working on JWT authentication flow for the API. Main goal is replacing session-based auth with stateless tokens.

### Completed
- [x] Set up JWT signing with RS256
- [x] Created `/auth/login` endpoint
- [x] Added refresh token rotation
- [x] Fixed token expiry bug (was using seconds, needed milliseconds)

### In Progress
- [ ] Add rate limiting to auth endpoints
- [ ] Implement token blacklist for logout

### Blockers Encountered
1. **jsonwebtoken version mismatch** - v9.x changed the `verify()` signature, had to update error handling
2. **Redis TTL for refresh tokens** - Was setting TTL in seconds but passing milliseconds

### Key Decisions Made
- Using RS256 over HS256 for better security with distributed services
- Storing refresh tokens in Redis with 7-day TTL
- Access tokens expire in 15 minutes

### Code Locations Modified
- `src/middleware/auth.js` - JWT verification middleware
- `src/routes/auth.js` - Login/logout/refresh endpoints
- `src/services/token.service.js` - Token generation and validation

### Notes for Next Session
- Need to add CSRF protection for cookie-based token storage
- Consider adding fingerprinting for refresh token binding
- Review rate limit values with team

### Context to Load
```
src/middleware/
src/routes/auth.js
src/services/token.service.js
```

---

## Session Log

**14:30** - Started session, goal is JWT implementation

**14:45** - Set up basic JWT signing. Using RS256 with key pair stored in env vars.

**15:20** - Login endpoint working. Discovered jsonwebtoken v9 breaking change - `verify()` now throws different error types. Updated catch block:
```javascript
// Old (v8)
if (err.name === 'TokenExpiredError') { ... }

// New (v9)
if (err instanceof jwt.TokenExpiredError) { ... }
```

**16:00** - Refresh token rotation working but tokens expiring immediately. Bug: was passing `Date.now()` (milliseconds) to `expiresIn` which expects seconds. Fixed:
```javascript
// Wrong
expiresIn: Date.now() + 900000

// Correct
expiresIn: '15m'
```

**17:30** - Auth flow complete. Login -> access token -> refresh -> new tokens. Ready for rate limiting tomorrow.

**17:45** - Saving session state.