Implementing refresh token #58
Conversation
|
Kudos, SonarCloud Quality Gate passed!
|
| role: user.role, | ||
| }, | ||
| process.env.JWT_SECRET, | ||
| { expiresIn: 60 }, |
There was a problem hiding this comment.
I think expiration time has to be at least 15-30 minutes.
There was a problem hiding this comment.
hmm, don't know if there is a rule in this case or not , but I can put it for 20 minutes
| @@ -1,6 +1,6 @@ | |||
| /* eslint-disable arrow-parens */ | |||
There was a problem hiding this comment.
I should change some stuff in tests but havent done yet
|
|
||
| export const refreshUserToken = (req, res) => { | ||
| const token = generateToken(req.user); | ||
| res.status(201).json({ token }); |
There was a problem hiding this comment.
it not clear what is what here, can you rename it so it is clear what is "refresh token" and what is "access token"
There was a problem hiding this comment.
refreshtoken is written refresh token everywhere, and when there is token it is the access token
There was a problem hiding this comment.
this function is kinda confusing, so its called refreshUserToken but then it generates a new access token? can you maybe explain us the exact logic of token refreshing to us?
| username: user.username, | ||
| role: user.role, | ||
| }, | ||
| process.env.JWT_SECRET, |
There was a problem hiding this comment.
do we need to use here maybe other secret for refresh token?
There was a problem hiding this comment.
they can be the same as well
| role: user.role, | ||
| }, | ||
| process.env.JWT_SECRET, | ||
| { expiresIn: '30d' }, |
There was a problem hiding this comment.
I tried to test refreshing logic so I set { expiresIn: 2 }but it did not work and gave me infinite error:
2021-07-21 13:25:37 error: Invalid token
POST /api/refreshToken 401 0.544 ms - 27
also FE did not handle it and did not log me out
There was a problem hiding this comment.
I checked every step in BE & FE by console logging and also checking in the actual app at the same time . I could get both token and refreshtoken in logs
| router.route('/deleteUser').delete(deleteUser); | ||
| router.route('/refreshToken').post(verifyToken, refreshUserToken); |
There was a problem hiding this comment.
where do you check if there is refresh token? shouldnt u check refresh token first and then verify access token?
There was a problem hiding this comment.
it seems like the logic checking actual refresh token is missing
There was a problem hiding this comment.
bc refresh token carries the information to get a new (access) token
No description provided.