-
-
Notifications
You must be signed in to change notification settings - Fork 753
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reauthnticating a user doesn't increate socket ttl #3333
Comments
Reauthenticating with the JWT strategy does not create a new token but just gives you back the existing one. To create a new one, a refresh token (references in #1337) would be for. It used to create a new token back in v3 but it was actually a security issue because if someone gets a hold of the token they can stay authenticated forever by generating new ones. |
@daffl that talks about oauth tokens, I am not using oauth, just email and password (local). Does feathers offer a way to do a refresh token with local strategy? Is there anything more up-to-date than a github issue from 2015? |
What's the requirement for refreshing the token every 30 seconds? In general it's probably a good idea to make the user log in with their credentials once in a (daily, weekly, monthly) while in which case you could just set the JWT expiration time to that. |
The 30 seconds was just to make tests. The idea is to have the token last 30 minutes, and sign the user out if they walk away and leave the system logged in, but if they keep making calls, refresh the token at 25 minutes or more (depending when they make a call next). This is how all the banking sites do this, many at 5 to 10 minutes lived tokens. The alternative is to make the token last longer, and force log them out. But this means no security benefits as there will be a long lived token in the wild. |
A refresh token essentially has the same issue which is why they need to be revokable in which case it's probably easier to make the normal (longer lived) JWTs revokable. |
In V5, the socket disconnects when the JWT expires.
I tried the following (made the JWT expire after 1 minute:
nothing seems to work, the idea is to have the token renew and keep the connection (or seamlessly reconnect)
I cannot figure out how to accomplish this, or find any documentation on how to do this.
What am I missing? The idea is to create a system where JWT don't live long, but as long as the user is using the system, I want to update the jwt before it expires so the user stays connected.
The text was updated successfully, but these errors were encountered: