validate
fun validateAndRotate(presentedId: String, presentedJkt: String?): RefreshTokenService.RotationResult
Use-then-rotate flow for refresh tokens.
In plain words: check the cookie, make sure it belongs to this session and browser key, then swap it for a new one. If an old/unknown token is presented, we revoke the whole family to cut off a possible theft.
Return
RotationResult containing the new record on success; null record means invalid/reuse (family revoked)
Parameters
presented
the token id from the __Host-rt cookie
presented
the jkt from the DPoP proof for this refresh request