Currently the JWTs have infinite lifetime. This is problematic for two reasons: it increases the risk of leaking credentials and it makes it impossible to revoke access rights without resetting the app's secret (which logs out all users). Thus making JWTs short-lived is a prerequisite for a user system (#19).
To do:
[x] Limit token lifetime (15 minutes?) on the backend
[x] Add token refresh endpoint on the backend
[x] Handle token refresh on fetch calls in the frontend
[x] Handle token refresh on image load errors in the frontend (I suppose using the onerror attribute of the img tag should do the trick
DavidMStraub
commented
4 years ago
Currently the JWTs have infinite lifetime. This is problematic for two reasons: it increases the risk of leaking credentials and it makes it impossible to revoke access rights without resetting the app's secret (which logs out all users). Thus making JWTs short-lived is a prerequisite for a user system (#19).
To do:
fetchcalls in the frontendonerrorattribute of theimgtag should do the trick