How to implement refresh tokens in Ash Auth?

I want to use Ash again (I tried it a year ago but I’m now returning to try out 3.0) but I’m a little bit unsure about Ash Authentication. I am far from a security expert so maybe my concerns are not valid but I was wondering about how to implement refresh tokens using Ash Auth. As far as I understand it is not very good practice to use long lived stateless jwt tokens since it is impossible (or very hard) to invalidate them if they need to be invalidated before expiry. So most people seems to recommend a short lived access token (seconds or minutes) and a refresh token that is stored in the database.

In the docs to ash auth it says: “Since refresh tokens are not yet included in ash_authentication, you should set the token lifetime to a reasonably long time to ensure a good user experience. Alternatively, refresh tokens can be implemented on your own.”

How would one add refresh tokens to an app using ash-authentication? I know how I could do it in a “vanilla” Phoenix app but not with Ash (my macro skills are very poor). Is it possible without forking ash-authentication and rewriting a large part of the library? If so any hints on how one would do it?

Don’t have time right now for a more involved answer, but there are discussions of how it can be implemented elsewhere in the forum, have a search around and see if you can find them. I think one was pretty recently.

As for difficult to revoke, AshAuthentication has a good option which I typically prefer anyway as I like to have state representing all current valid sessions, which is that you can do:

store_tokens? true
require_token_presence? true

In which case authentication tokens are stored and you can delete one or expire it in the database. Can be great for showing users things like “what active sessions do you have now” and that kind of thing.