JWT Still valid after refresh

Question

JWT Still valid after refresh

Echoju opened this issue 2 years ago · 1 comments

Hello,

I ask for a JWT with a regular login by sending login&pwd by json.
Then I receive a JWT(1) & Refresh Token(1).

If I use the refresh Token(1) I received, so then I receive a new couple : JWT(2) & Refresh Token(2).

If I try to use JWT(1) and JWT(2) they both are valid.

Is this the expected behaviour ?
Is there a way so that there would be only one couple JWT+Refresh valid at the same time ?

Also is this possible to associated refresh token with an IP Address / Device so that no one else could use it ?

Thanks !

Answer 1 · 2022-06-09T15:49:11.000Z

If I try to use JWT(1) and JWT(2) they both are valid.

Is this the expected behaviour ?

Yes. This bundle on its own doesn't invalidate a JWT, you'd need to hook into the gesdinet.refresh_token event from this bundle or one of the authentication events from Symfony's security system to handle invalidating the older token.

Also is this possible to associated refresh token with an IP Address / Device so that no one else could use it ?

You could extend the model in your own application to add this data. You'd also need to handle checking it on your own.