On my token authentication, I have two tokens, one is a short term access token and another is a long time refresh token. I want to implement a refresh token rotation. So I'm going to hash the refresh token and then save to the database. When the refresh token is reused each time, I will revoke all refresh tokens on this token family.
I used bcrypt to hash the refresh token and I was using the JWT way to generate a refresh token initial. However, as bcrypt has the max input, 72 bytes, which is smaller than the JWT token length, it will result to different JWT tokens having the same bcrypt salt value if their init 72 bytes are same.
So I'm going to use uuid to generate the token string plus the expire time to replace the JWT way.
I want to know if this uuid random string way is secure to replace the JWT? And I also concern if UUID is unique enough for token authentication.
