p0 · H3 · Access-token blacklist on auto-rotate is racy

TL;DR

Moot after Phase A: bespoke rotating refresh / tokenBlacklist removed with Auth.js migration (d5b94ce). Race no longer exists.

Status: done (2026-05-18) · Source: [[Projects/personal-finance-notion/context/audit-2026-05-17-auth|Auth audit 2026-05-17 §H3]]

Entire src/lib/auth.ts rotating-refresh path replaced by Auth.js shim. tokenBlacklist.ts and refreshTokenSessionModel.ts deleted.

Spun out

None.

Related

• [[Projects/personal-finance-notion/backlog/done/p0-authjs-phase-a-foundation|Phase A]]