Make session stateless (Implement JWT)? #27
Comments
|
Doing this would prevent the need for an express session, and potentially any other session issues. Using GraphiQL can present some challenges as discussed here: graphql/graphiql#59 and graphql/graphiql#500 I think, if I went this route, perhaps moving auth behind GraphQL instead of a separate Just a note... in case I wanted to drop express-sessions altogether. Right now I don't see this being a priority other than wanting the app to be "stateless". |
- after authorizing via google, the refresh token is now saved to the user created via the google profile - apollo server context is updated with the user's refresh token upon loading a session - this should help keep the google session alive over long periods of time - this is not a stateless action refs #6, #27
|
The sessions are persistent at the moment in effort to secure google access tokens on the server side. These are already stored in the user's table. So, the JWT would simply have a userid, and prior to executing a google query, the api server would need to lookup those keys from there instead of from the active session... |
Ideally such a service would remain stateless. The reason why I didn't want to do this was to secure the google access tokens. If I wanted to go full stateless, I'd need to implement the OAuth v2.0 Authorization Code flow.
Refs: https://auth0.com/docs/flows/concepts/auth-code
The text was updated successfully, but these errors were encountered: