Currently refreshing an access token with a refresh token will create a new refresh token.

# frozen_string_literal: true

require_dependency 'api_guard/application_controller'

module ApiGuard
  class TokensController < ApplicationController
    before_action :authenticate_resource, only: [:create]
    before_action :find_refresh_token, only: [:create]

    def create
      create_token_and_set_header(current_resource, resource_name)

      @refresh_token.destroy
      blacklist_token if ApiGuard.blacklist_token_after_refreshing

      render_success(message: I18n.t('api_guard.access_token.refreshed'))
    end

This means if a user has their refresh token leaked, the refresh token can be used forever.
Correct me if I'm wrong, but the correct behavior should be just letting the refresh tokens expire.
Refreshing an access token should not renew the refresh token.

@galexw The refresh token have default expiry of 2 weeks and you can configure this in the initializer. This information was missing in the README earlier, I have added it now.

Ref:

• https://github.com/Gokul595/api_guard#refresh-token-validity
• https://github.com/Gokul595/api_guard#token-refreshing

Refreshing an access token should not renew the refresh token.

We need to renew the refresh token and send the new one in the response to keep the session active in the client side. You can control the expiry as mentioned above.