Refresh token can be used INDEFINITELY and UNLIMITED times without any restrictions

[godlin-gh]

Describe the bug

I discovered that refresh tokens can always be used, even after multiple repeated uses, and even after exceeding the project's configured refresh token reuse interval (default is 10 seconds).

To Reproduce

Use the following command without time or usage limitations:

curl -X POST https://{project-id}.supabase.co/auth/v1/token?grant_type=refresh_token \
-H "apikey: {apikey}" \
-H "Content-Type: application/json" \
-d '{"refresh_token":"{refresh_token}"}'

[hf]

Did you read this: https://supabase.com/docs/guides/auth/sessions#what-is-refresh-token-reuse-detection-and-what-does-it-protect-from

[hf]

Anyway a refresh token can be re-used within 10 seconds of last use. So if you re-use it continuously every 9 seconds, it will continue to work.

This is intentional per document linked above.

https://github.com/supabase/auth/blob/master/internal/api/token_refresh.go#L187-L188

[godlin-gh]

I re-use it at 02:53 UTC, but I can still re-use it now (19:48+08:00 which is equivalent to 11:48 UTC)

[hf]

Then it should be falling under this exemption

If the parent of the currently active refresh token for the user's session is being used, the active token will be returned.

Can you confirm?

[godlin-gh]

Yes，I am using the 'the parent of the currently active refresh token'...

Let me take another careful look at the documentation, thanks for your reply

[hf]

In any case, we can't really adjust the algorithm to be more strict as that causes early session termination issues at scale (only visible over 100k+ users with high activity) as some of these edge cases happen infrequently (but still a lot).

If there's any other finding please email [email protected] as these findings might constitute a security problem so we should have a proper disclosure procedure.