From c61f96ffe7b516643e8e31bc5c39bd71021a698d Mon Sep 17 00:00:00 2001
From: Radical <radical@radical.fun>
Date: Sun, 4 May 2025 23:02:17 +0200
Subject: [PATCH] feat: expire refresh_token immediately on unauthorized
 response

---
 src/api/v1/auth/refresh.rs | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/api/v1/auth/refresh.rs b/src/api/v1/auth/refresh.rs
index 7e331a2..8c3e7d0 100644
--- a/src/api/v1/auth/refresh.rs
+++ b/src/api/v1/auth/refresh.rs
@@ -42,7 +42,11 @@ pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse
                 error!("{}", error);
             }
 
-            return Ok(HttpResponse::Unauthorized().finish());
+            let mut refresh_token_cookie = refresh_token_cookie(refresh_token);
+
+            refresh_token_cookie.make_removal();
+
+            return Ok(HttpResponse::Unauthorized().cookie(refresh_token_cookie).finish());
         }
 
         let current_time = SystemTime::now()
@@ -100,5 +104,9 @@ pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse
         }));
     }
 
-    Ok(HttpResponse::Unauthorized().finish())
+    let mut refresh_token_cookie = refresh_token_cookie(refresh_token);
+
+    refresh_token_cookie.make_removal();
+
+    Ok(HttpResponse::Unauthorized().cookie(refresh_token_cookie).finish())
 }