Building Secure Session Management in NestJS - Refresh Tokens, Device Tracking & Session Revocation(PART 2)

1. The Refresh Token Flow — Validating Against the DB This is where the real security upgrade happens. Instead of just verifying the JWT signature, we now check the database to confirm the session still exists and hasn't been revoked. // auth.service.ts — updated refreshToken method async refreshToken(rawRefreshToken: string) { // Step 1: Verify the JWT signature and check expiry. // jwtService.verify() throws an error if the token is expired or the signature is invalid. let payload: any; try { payload = this.jwtService.verify(rawRefreshToken, { secret: this.configService.get<string>('JWT_REFRESH_SECRET'), }); } catch { // The token is either expired or was tampered with throw new UnauthorizedException('Refresh token is invalid or expired'); } // Step 2: Load all active sessions for this user from the database. // We need to find the specific session that matches this refresh token. // Note: we explicitly request 'refreshTokenHash' since it has select: false on the entity. const