Current token validity is set in config in hours (4). For convenient usage, we would need a full day (9h), but this may be too much of a risk when being stolen.
Feature
We need to create a refresh token mechanism that will last about a working day (~9h) to be used for requesting a regular JWT auth token (whose validity time will shorten to about 15 min).
Proposed Solution [Optional]
Solution Ideas:
Separate endpoints for JWT acquiring - one with for credentials supply (to obtain auth JWT and refresh JWT), another for refresh of auth JWT only (supply still valid refresh JWT, obtain new auth JWT)
Background
Current token validity is set in config in hours (4). For convenient usage, we would need a full day (9h), but this may be too much of a risk when being stolen.
Feature
We need to create a refresh token mechanism that will last about a working day (~9h) to be used for requesting a regular JWT auth token (whose validity time will shorten to about 15 min).
Proposed Solution [Optional]
Solution Ideas:
Consider researching/confirming what is the norm.
Use a secure cookie for the refresh token as in: https://www.geeksforgeeks.org/jwt-authentication-with-refresh-tokens/ (recommended the cookie to be
httpOnly=true
andsecure=true
) ?The refresh token should contain
username
to be only usable for a particular user.Phase 2: #76