The one-time refresh token can be refreshed twice

Description

It has the same behaviour in docker from fusionauth-containers
If the browser sends the refresh request simultaneously, the browser would decide which refresh token needs to be saved and it will break the customer session once access_token expires. And it would leave unused refresh token in FA DB for a while.

Affects versions

1.38.1, 1.36.7

Steps to reproduce

Steps to reproduce the behavior:

1. Clone the fusionauth-containers
2. cd docker/fusionauth and Run docker compose up
3. Setup the FA user / Login to FA admin
4. Create a tenant (Select One time usage for Refresh Token usage)
5. Create an API key (connect it to tenant)
6. Create an Application
   6.1. connect it to the tenant
   6.2. enable JWT
   6.3. select One time usage for Refresh Token usage on the JWT tab
   6.4. enable Generate Refresh Tokens on the Security tab
   6.5. enable Enable JWT refresh on the Security tab
7. Copypaste APIkey, tenantId, applicationId to the script
8. Run the script (use any unique string for script ./test.sh 123 to repeat it, as that registers and additional user)
   script to run (script requers jq)
9. See the refresh token was updated twice. The third request was rejected and it's hopefully good 🥲

Note that the script uses refresh & refresh & refresh to run the commands at the same time: https://www.thegeekdiary.com/what-is-the-difference-between-ampersand-and-double-ampersand-while-executing-simultaneous-commands-on-linux/

Expected behavior

Expecting to refresh only one time for the one-time refresh token, other should be denied as third request

Screenshots

Platform

• docker container

Related

• Public Client : Refresh Token Revocation on Token Reuse #1619

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

script to run
script requers jq