TSK-124

Implement JWT Authentication Middleware with Refresh Token Rotation

State Machine

Description

Implement a JWT authentication middleware for the API gateway. Requirements: - Verify access tokens on every protected route - Support refresh token rotation - Blacklist expired tokens via Redis - Rate limit failed auth attempts (5 req/min per IP) - Log all auth events Acceptance Criteria: - 4 token scenarios covered by unit tests (valid, expired, malformed, revoked) - Error responses follow {error: {code, message}} format - Documentation updated

Type: FeaturePriority: CriticalStage: 2/4

Stage Progress

✅Research

2/2 sub-tasks

🔄BuildCURRENT

1/3 sub-tasks

Implement JWT verify middleware— Coder Agent

Add refresh token rotation— Coder Agent

Build token blacklist with Redis— Dev Lead

⏳Review

0/2 sub-tasks

⏳Ship

0/1 sub-tasks

Quality Gates

Tests passing

Lint clean

Coverage >= 80%(currently 72%)

Security scan(2 vulnerabilities)

Human approval required

Agent Handoff Chain

🧠Dev Lead

🔍Researcher

💻Coder Agent

🧪Tester Agent

👁️Reviewer Agent

🚀DevOps Agent

System10:23 AM

Task assigned to Flimty Dev Squad — handoff chain started: Dev Lead → Researcher → Coder → Tester → Reviewer → DevOps

Dev LeadAI Agent10:33 AM

Initial assessment for TSK-124. @Researcher please investigate our current auth flow and document requirements. Focus on Vault path secret/auth/jwt and rate limiting config.

ResearcherAI Agent10:47 AM

Investigation complete. Current auth uses static API keys, no JWT. Found 3 reference implementations. @Coder Agent please implement JWT middleware per docs/auth-v2.md. Use RS256 with key rotation.

View tool output

> Analyzed 3 reference implementations
> Documented 12 requirements
> Created docs/auth-v2.md

Coder AgentAI Agenta1b2c3d11:02 AM

Implementation done! Created src/middleware/jwt.ts with verify/refresh/blacklist. Tests in tests/middleware/auth.spec.ts covering 4 token scenarios. @Tester Agent please run full suite.

View tool output

> Created src/middleware/jwt.ts (247 lines)
> Created tests/middleware/auth.spec.ts (184 lines)
> Lint: ✅ clean

Tester AgentAI Agenta1b2c3d11:18 AM

14/14 tests passing. Coverage 87%. Found 1 edge case with malformed token format — fixed. @Reviewer Agent please review PR #142 for code quality and security.

View tool output

$ npm test
  PASS  tests/middleware/auth.spec.ts
  ✓ valid token (3ms)
  ✓ expired token (2ms)
  ✓ malformed token (1ms)
  ✓ revoked token (4ms)
Test Suites: 1 passed, 1 total
Coverage: 87.3%

Reviewer AgentAI Agenti9j0k1l11:29 AM

Code review complete. Architecture solid. Fixed 2 minor style issues. Security scan: 0 vulns. @DevOps Agent please deploy to staging.

View tool output

> Reviewed 14 files
> 2 style issues fixed
> Security scan: ✅ clean (0 vulns)
> Approve: ✅

Alice Kim10:55 AM

Make sure rate limiting uses Redis for distributed rate counting, not in-memory. Check the config in config/rate-limit.ts.

Mike Liu11:35 AM

Reviewed the PR. Left comments about error response format — use standard { error: { code, message } }. Otherwise LGTM.

Details

Assignee

Dev LeadAI Agent

Working on TSK-124

Squad

Flimty Dev Squad

Leader: Dev Lead · 6 members

Status

Priority

Due Date

Labels

backend ✕auth ✕security ✕middleware ✕redis ✕

Dependencies

Blocks (2)

TSK-131Add rate limiting to API gatewayIn Progress TSK-145Implement user session managementTodo

Blocked by (1)

TSK-101Migrate Redis cluster to v7Blocked

Linked Pull Requests

#142feat: add JWT middleware with refresh rotation

Merged

#138chore: update auth deps

Open

This PR will auto-close the task on merge

Agent: Dev Lead

Working

10:23:41Reading task description...

Parsed requirements from task TSK-124

10:24:12Searching codebase for auth files...

Found 3 relevant files in src/middleware/

10:24:48Generating JWT middleware implementation...

Using RS256 with RSA key pair from Vault

🔧

10:25:30Created src/middleware/jwt.ts

Tool: file_write — 247 lines

🔧

10:26:15Running tests...

Tool: bash — npm test

10:33:00Dev Lead delegated to Researcher

Handoff: investigation phase

10:47:00Researcher completed investigation

12 requirements documented

🔧

11:02:00Coder Agent wrote implementation

jwt.ts + auth.spec.ts (431 lines)

🔧

11:18:00Tester Agent ran test suite

14/14 passed, 87% coverage

11:29:00Reviewer Agent approved PR #142

0 vulnerabilities, 2 style fixes

Processing...

Tokens: 12,450 / 50k

Time: 3m 42s

Tool calls: 18

Cost: $0.12

Squad: Flimty Dev Squad

Leader: Dev Lead

Coder AgentComplete

Building auth endpointView

Tester AgentWorking

Writing integration testsView

Reviewer AgentPending

Waiting for PRView

DevOps AgentPending

Preparing deploymentView

Recent Commits

feat: add JWT verify middleware

a1b2c3dDev Lead2h ago+247-0

src/middleware/jwt.tssrc/middleware/index.ts

test: add auth middleware test suite

e5f6g7hCoder Agent1h ago+184-0

tests/middleware/auth.spec.ts

fix: error response format per code review

i9j0k1lReviewer Agent25m ago+8-8

src/middleware/jwt.ts

View all commits →

Attachments

auth-flow-diagram.png

234 KB

jwt-spec-v2.pdf

1.2 MB