Model - AccessToken - refresh

[ikb42]

This currently does

AccessToken.insert({
      iss: settings.issuer,
      uid: at.uid,
      cid: at.cid,
      ei: at.ei,
      rt: random(settings.refresh_token_bytes_range)(),
      scope: at.scope
    }, function (err, token) {
      if (err) { return callback(err) }

      // we should destroy the current token
      AccessToken.delete(at.at, function (err) {
        if (err) { return callback(err) }
        callback(null, token)
      })
    })

The problem with doing the delete after the insert is that if for example the rt or perhaps even the at is the same as before then it would be deleted right after being created - or worse perhaps parts could be deleted, such as the rt.
In my case this is happening because I am preserving the rt but it could happen in the general case too, although unlikely.

[PetrSnobelt]

I also have problem with refresh tokens, but I don't see how rt or at can be same. Will be great if you provide unit test.

[ikb42]

Can't remember the reason, but I needed to keep the refresh token the same which lead to a bug for me with my refresh token being deleted after the new access token was created.
With the random refresh token this should not happen.