Issue with implementing token refresh functionality

[chandel-aman]

Describe the bug
The talawa-admin currently lacks the functionality to fetch a new access token using the refresh token once the existing token has expired. The missing functionalities include fetching new access and refresh tokens and storing them in the local storage. User is logged out automatically in between their session and have to enter their credentials again.

To Reproduce
Steps to reproduce the behavior:

1. Wait for the existing access token to expire.
2. Observe that the talawa-admin fails to automatically fetch a new access token using the refresh token.
3. And the user is logged out automatically.

Expected behavior

1. Automatically fetch a new access token using the refresh token once the existing access token has expired.
2. Store the new access and refresh tokens in the local storage.

Actual behavior
The current code currently lacks the ability to perform the automatic refresh access token using the refresh token so as to keep the user logged in while still renewing the access token.

Screenshots
N/A

Additional details
N/A

Potential internship candidates
Please read this if you are planning to apply for a Palisadoes Foundation internship PalisadoesFoundation/talawa#359

[github-actions]

Congratulations on making your first Issue! 🎊 If you haven't already, check out our Contributing Guidelines and Issue Reporting Guidelines to ensure that you are following our guidelines for contributing and making issues.

[chandel-aman]

@palisadoes please assign this issue to me

[palisadoes]

@rishav-jha-mech @kb-0311 Please comment on this.

[kb-0311]

@chandel-aman Refresh Tokens will also need to be configured in the backend as well so please take a look at that. Also while using RT you will also need to take care of the scenario where it might get stolen. How do you plan on addressing that edge case in talawa?

[chandel-aman]

@kb-0311

For the backend part

1. Currently we are generating refresh token and it is sent along with access token to the frontend upon successful login or register, but we are not utilizing the refresh token in the frontend.

2. Also we are not storing this refresh token in the database, which needs to be done so that, we can add a check for refresh token stored in DB and the one coming in the request, while exchanging the token.
   
   this needs to be added

3. Refresh token revocation functionality is partially implemented, we also need to delete the existing token from the DB
   

In the scenario where the refresh token might get stolen

1. Our refresh tokens, like access tokens, are bearer tokens that need authentication using a refresh token secret key. Just like we are storing our access token we can also store our refresh token in the browser's local storage.
2. Also we need to implement Refresh Token Rotation and Refresh Token Reuse Detection functionality so as to mitigate any security vulnerabilities.

Refresh Token Rotation

1. New Tokens per Use: Generates a fresh refresh token every time it's used.
2. Shortened Validity: Reduces the lifespan of refresh tokens for increased security.
3. Limits Compromise Impact: Minimizes the risk if a token is stolen by promptly invalidating it through subsequent rotations.

Refresh Token Reuse Detection

1. Tracking Token Families: Links derived tokens to the original refresh token.
2. Identifying Reuse: Detects and flags the reuse of previously used tokens or their families.
3. Invalidation on Reuse: Invalidates entire token families upon reuse to prevent further access.
4. Enhanced Security: Mitigates unauthorized access by immediately invalidating compromised or reused tokens.

You can also refer to the following blog post on Auth0: What Are Refresh Tokens and How to Use Them Securely

[kb-0311]

@chandel-aman Sue go ahead and submit two PRs one for the front end and one for the api.

[chandel-aman]

@kb-0311 should i wait for this issue to be assigned or should i start working on it?

[github-actions]

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.