--- issue: 092 title: "Backend: JWT refresh and access tokens share the same secret; middleware skips token type check" severity: medium domain: Authentication labels: [security, backend, jwt] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: JWT refresh and access tokens share the same secret; middleware skips token type check **Severity:** medium **Domain:** Authentication **Labels:** security, backend, jwt ## Description `src/services/auth/authService.ts:44` signs both access and refresh tokens with the same secret. `authenticateToken` middleware does not check `token.type`, so a refresh token can be presented as an access token and accepted by protected routes. ## Options 1. Add a `type:'access'` claim check in `authenticateToken` middleware (reject `type:'refresh'`). 2. Use separate secrets for access vs refresh tokens. 3. Add audience/issuer claims and verify them in middleware. ## Recommendation Enforce a token-type check in the middleware (reject refresh tokens) and ideally split secrets. Both changes touch core auth verification. ## Affected Files - `backend/src/services/auth/authService.ts:44` - `backend/src/middleware/authenticateToken.ts` (or equivalent) ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-26