Refresh tokens

Question

Refresh tokens

Epenance opened this issue 5 years ago · 11 comments

I'm submitting a...


[ ] Regression 
[ ] Bug report
[x] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

When the access token expires we are forced to show the user a login form again so they can manually authenticate again, rather than automaticly renewing the token using a refresh token.

Expected behavior

When the token expires we should get a 401, whereafter we try to refresh the access token using our refresh token, if succeeded we should get a new set of keys, else we should invalidate both tokens forcing the user to login again.

What is the motivation / use case for changing the behavior?

Using refresh tokens has been pretty standardized within the use of JWT's, we are making a unnatural flow without them.

https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

Answer 1 · 2019-12-13T20:36:30.000Z

Refresh tokens mechanism can be easily implemented using this package. Nothing more is needed

Answer 2 · 2019-12-25T20:24:47.000Z

Refresh tokens mechanism can be easily implemented using this package. Nothing more is needed

@kamilmysliwiec The ingenious answer. Can you show this easy implementation?

Answer 3 · 2020-01-10T10:28:57.000Z

@Photon79 You may generate two tokens one as access_token second as refresh_token with different expiresIn time.

Answer 4 · 2020-01-12T18:48:52.000Z

@shamahan Yes, but where do you refresh one?

For me one of the possibilities seems to be implementing a custom AuthGuard which would throw a custom exception which then would be caught by exception filter

Answer 5 · 2020-01-13T09:04:27.000Z

@shamahan Yes, but where do you refresh one?

My solution is: /auth/refresh route which accept refresh token from headers then validate by secret and check token in db. If token valid and stored in db I would recreate tokens and update refresh token in db.

Answer 6 · 2020-09-07T12:51:58.000Z

Took me half a day to figure this out, so I hope this helps others.

E.g For Token Creation/Signing

Module

@Module({
  imports: [JwtModule.register({})], // Must register with empty options object...
})
export class SomeModule {}

Signing/Creation

constructor(private jwtService: JwtService){}
...
...
const payload = { userdetails: userdetails };
const accessToken = this.jwtService.sign(payload, {
  secret: accessConfig.secret, // unique access secret from environment vars
  expiresIn: accessConfig.signOptions.expiresIn, // unique access expiration from environment vars
});

const refreshToken = this.jwtService.sign(payload, {
  secret: refreshConfig.secret, // unique refresh secret from environment vars
  expiresIn: refreshConfig.signOptions.expiresIn, // unique refresh expiration from environment vars
});
...
// Store refresh **token-hash** in DB
...
// return tokens to client
return {
  accessToken: accessToken,
  refreshToken: refreshToken,
};

Eg. For Token AuthGuard Strategy

AuthGuard Strategy

@Injectable()
export class JwtRefreshStrategy extends PassportStrategy(
  Strategy,
  'jwt-refresh-strategy',
) {
  constructor() {
    super({
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
      ignoreExpiration: false,
      secretOrKey: jwtRefreshConfig.secret, // gets secret from environment variables
    });
  }

  async validate(payload: any) {
    // DB checks for refresh token: valid, revoked, etc...
    ...
    ...
    return { username: payload.username };
  }
}

My suggested changes to this package:

Handle registration if JwtModule is imported but not registered with empty object.
Update docs to make clear that JwtModule can simply be imported, and JwtService can be passed options.

Eg. What this package should do:

@Module({
  imports: [JwtModule], // Import like any other module
})
export class SomeModule {}

...
...
// Package should have some conditional check
// Sudo code example
if(!JwtModuleRegistered) {
  JwtModule.register({});
}

Answer 7 · 2020-09-07T12:55:02.000Z

You can follow the same instructions with this package as it's using the jsonwebtoken under the hood.

Answer 8 · 2020-09-07T13:24:02.000Z

You can follow the same instructions with this package as it's using the jsonwebtoken under the hood.

Well.... I just took a look at her again, and you obviously are correct, but man the docs should really point this out. I'll update my previous comment to reflect the correct way using this package.

Thanks!

Answer 9 · 2020-09-07T14:35:00.000Z

@brock-wood Contributions to the docs are more than welcome! If you are interested, feel free to create a PR with any improvements you think might be useful 💪

Answer 10 · 2020-09-14T21:39:50.000Z

@brock-wood Many thanks! ❤️

Answer 11 · 2020-10-25T19:01:19.000Z

Just for the reference, here is my VERY basic implementation: modernweb-pl/vue-nest-monorepo#32