Add refresh-token / silent re-auth flow for 15-minute wallet JWTs

[greatest0fallt1me]

Description

app/api/auth/wallet/route.ts issues a 15-minute access token (expiresIn: "15m") with no refresh path, so authenticated sessions hard-expire mid-flow during long stream operations. Add a backend refresh mechanism so clients can obtain a new short-lived access token without re-signing a wallet challenge each time. This is a server-side session-security feature.

Requirements and Context

• Introduce POST /api/auth/refresh issuing a new 15-minute access token from a longer-lived, rotating refresh token.
• Refresh tokens must be revocable and stored server-side (in app/lib/db.ts mock store, keyed by actorId), with rotation-on-use to detect reuse.
• Reuse the existing JWT signing/verification utilities from app/lib/auth.ts.
• Must be secure, tested, and documented
• Should be efficient and easy to review

Suggested Execution

1. Fork the repo and create a branch

   git checkout -b feature/wallet-jwt-refresh

2. Implement changes
   • app/api/auth/refresh/route.ts (new)
   • app/lib/auth.ts — refresh-token issue/verify/rotate helpers
   • app/lib/db.ts — refresh-token store and revocation set
3. Test and commit
   • npm test -- app/api/auth app/lib/auth.test.ts
   • Cover edge cases: reused (rotated) refresh token, revoked token, expired refresh
   • Include test output and notes in the PR

Example commit message

feat: add rotating refresh-token flow for wallet sessions

Acceptance Criteria

• POST /api/auth/refresh returns a fresh access token + rotated refresh token
• Reused refresh token is rejected and revokes the chain
• Audit event recorded for refresh and revoke
• Coverage ≥ 90% for the new code

Guidelines

• Minimum 90% test coverage including reuse/revocation paths
• Clear documentation and inline comments
• Timeframe: 96 hours

[dev-RAM11]

@dev-RAM11 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi, I'd love to be assigned this issue. I've been actively contributing across Stellar Wave 4 and Wave 5 projects, working across smart contracts on Stellar/Soroban, Rust backends, NestJS APIs, Next.js frontends, and DevOps infrastructure — and I'm well-positioned to tackle this effectively.
I've reviewed the issue and have a clear implementation plan. I'll follow the project's contribution guidelines, write tests alongside the implementation, and keep the PR focused and reviewable.
Looking forward to contributing!

ℹ️ Repo Maintainers: To accept this application, review their application or assign @dev-RAM11 to this issue.

[drips-wave]

Congratulations, @dev-RAM11! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @dev-RAM11: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊