[x] When user logs in, place token in Secure Storage
[x] When sending requests, instead of DUMMY TOKEN, grab token from storage. Just comment it in. The code is there, just waiting for the step above to be complete.
[x] check for valid token - Use AuthenticationError if user is not valid
[x] Actually properly check for valid token via jwt.verify by using our secret. Do this when token is properly grabbed and placed in securestorage in frontend upon frontend login
[x] protected routes - use ForbiddenError if user is not authorized - Example on getUser resolver.
[ ] How do we handle refreshtoken? You can check if a token is valid, but just expired, via an options object like {ignoreExpiration:true} as the third argument to jwt.verify.
[ ] Either send an error back, if token is expired, which can then be handled like: Use ErrorLink, so that if unauthenticated, you can send an automatic request for a new token from backend, then redo the request. via this pattern. . Then we'd also need a new endpoint that simply takes an expired token, and returns a new one.
[ ] Or on the backend, use the refreshtoken to get a new accesstoken to the user.
[x] Right now we control the logged in state via a useState. And that is fine. But, since user might has a JWT in the SecureStore, we could make a useEffect, that checks for a token in securestore, and if it is there, then decodes it, and logs the user in? So they keep their logged in, even if they close Expo and the App? :) Could be Cool imo https://github.com/Hold-Krykke/Security_and_FullstackJavascript_Exam/pull/28
This issue is for the follow-up things that needs to be done now that the login is working.
Including, but not limited to:
[x] jwt in the app
[x] In backend - Place token on Context, so Resolvers can use it. Don't check here if valid, only check if the token is valid at the protected routes level. Not necessary before. https://www.apollographql.com/docs/apollo-server/security/authentication/#putting-user-info-on-the-context
[ ] How do we handle refreshtoken? You can check if a token is valid, but just expired, via an options object like {ignoreExpiration:true} as the third argument to jwt.verify.
[x] Right now we control the logged in state via a useState. And that is fine. But, since user might has a JWT in the SecureStore, we could make a useEffect, that checks for a token in securestore, and if it is there, then decodes it, and logs the user in? So they keep their logged in, even if they close Expo and the App? :) Could be Cool imo https://github.com/Hold-Krykke/Security_and_FullstackJavascript_Exam/pull/28