During the meeting, the State Changers discussed ways to reset passwords and prevent token reuse. They decided to handle this at the API level. They agreed to add a timestamp field to the user table to determine the validity period of the refresh token. The timestamp would be different for each user and set to 10 minutes or 5 minutes after token creation. They named this field "Reset Password" and implemented it in the API endpoint.
They also discussed the process of redeeming the token. They added a "get record" step to retrieve the user record based on the provided token. This step would also retrieve the token creation timestamp. They then incorporated math conditions to check if the token was within the last 10 minutes. If it passed the conditions, the record would be edited to set the token created field to blank or zero. By implementing these steps, they ensured that the token could only be used once and within the specified time window. They mentioned the importance of testing to confirm the desired user experience.
(Source: Office Hours 2/2 )
