search

IndominusByte / fastapi-jwt-auth

FastAPI extension that provides JWT Auth support (secure, easy to use, and lightweight)
http://indominusbyte.github.io/fastapi-jwt-auth/
MIT License
630 stars 143 forks source link

Freshness Tokens docs: fresh=False #22

Closed lefnire closed 3 years ago

lefnire commented 3 years ago

In https://indominusbyte.github.io/fastapi-jwt-auth/usage/freshness/

def refresh():
    new_access_token = Authorize.create_access_token(subject=current_user,fresh=False)

fresh=False. Took me a while to figure out on localhost why it was giving me the "Fresh token required" error. Switching this to True got me good. I'm a total JWT newb, and still wrapping my mind around it, so maybe it's user-error on my part?

lefnire commented 3 years ago

Also, took me a long while to figure out that you retrofit Authorization: Bearer ${token} for /refresh, replacing access_token with refresh_token. I thought it was something you pass in as axios({data: {refresh_token}}) per Auth0's docs. It could be I'm so newb it's not worth adding to the docs, but in case it could help future users it might be worth adding a note about that in https://indominusbyte.github.io/fastapi-jwt-auth/usage/refresh/

IndominusByte commented 3 years ago

In https://indominusbyte.github.io/fastapi-jwt-auth/usage/freshness/

def refresh():
    new_access_token = Authorize.create_access_token(subject=current_user,fresh=False)

fresh=False. Took me a while to figure out on localhost why it was giving me the "Fresh token required" error. Switching this to True got me good. I'm a total JWT newb, and still wrapping my mind around it, so maybe it's user-error on my part?

it's correct set the access token to be false because when you refresh the token you generate a new access token without validating that user. fresh_jwt_required() only fresh token can access it and for the non-fresh token can access endpoint who protected by jwt_required()

IndominusByte commented 3 years ago

Also, took me a long while to figure out that you retrofit Authorization: Bearer ${token} for /refresh, replacing access_token with refresh_token. I thought it was something you pass in as axios({data: {refresh_token}}) per Auth0's docs. It could be I'm so newb it's not worth adding to the docs, but in case it could help future users it might be worth adding a note about that in https://indominusbyte.github.io/fastapi-jwt-auth/usage/refresh/

great thanks for your suggestion I will add a note in the docs later thank you 😄 🙏

lefnire commented 3 years ago

Oh I see, the freshness pattern isn't part of the refresh-token pattern. It's for more critical short-access routes like deleting account, etc. Just read through the docs again and makes much more sense. Thanks!