AuthHub
WebSocket hub for authentication operations. Login is handled via HTTP; this hub provides token operations over existing connections.
Endpoint: /authHub
Methods
RefreshToken
Refresh access token using a valid refresh token. Returns new tokens (rotation).
[Authorize]
public async Task<RefreshResult> RefreshToken(string refreshToken)
Parameters:
| Name | Type | Description |
|---|---|---|
refreshToken | string | Refresh token from previous login/refresh |
Returns: RefreshResult
{
accessToken: string;
refreshToken: string; // New refresh token (rotation)
accessTokenExpiresInSeconds: number;
}
Example:
const result = await connection.invoke("RefreshToken", currentRefreshToken);
// Update stored tokens
accessToken = result.accessToken;
refreshToken = result.refreshToken;
Errors:
"Invalid or expired refresh token."- Token was consumed, expired, or never existed
Logout
Revoke a specific refresh token.
[Authorize]
public async Task Logout(string refreshToken)
Parameters:
| Name | Type | Description |
|---|---|---|
refreshToken | string | Refresh token to revoke |
Example:
await connection.invoke("Logout", refreshToken);
// Token is now invalid
RevokeAllTokens
Revoke all refresh tokens for the current user. Use for security events (password change, suspected breach).
[Authorize]
public async Task RevokeAllTokens()
Example:
await connection.invoke("RevokeAllTokens");
// All devices are now logged out
GetProfile
Get the current user's profile.
[Authorize]
public async Task<UserProfile> GetProfile()
Returns: UserProfile
{
userId: string; // GUID
displayName?: string;
avatarUrl?: string;
}
Token Refresh Flow
Usage Notes
- RefreshToken rotates tokens - The old refresh token is consumed and a new one is issued
- Call before expiration - Don't wait for 401 errors; refresh proactively
- RevokeAllTokens for security - Use when password changes or breach suspected