Implement Refresh Token and Access Token Logic over simple token

[arin-paliwal]

Background

Currently, the authentication mechanism in the project relies solely on JWT tokens. While this approach is functional, it can be enhanced for better security and user experience by introducing refresh tokens alongside access tokens.

Current Approach

• JWT Tokens: Upon login, a JWT token is issued and used for authenticating subsequent requests to protected routes.
• Potential Problem: The JWT token, if compromised, can be used until it expires. Moreover, having a short expiration time requires the user to frequently log in again, which can be inconvenient.

Proposed Enhancement

Implement a dual-token authentication system using Access Tokens and Refresh Tokens.

Proposal

Access Tokens

• Short-Lived: Access tokens should have a short expiration time (e.g., 15 minutes).
• Usage: Used to access protected routes.
• Storage: Stored in the client-side memory (e.g., JavaScript variables).

Refresh Tokens

• Long-Lived: Refresh tokens should have a longer expiration time (e.g., 7 days).
• Usage: Used to obtain new access tokens when they expire.
• Storage: Stored securely, typically in HTTP-only cookies or secure storage mechanisms.

Benefits

1. Enhanced Security: Even if an access token is compromised, it has a short lifespan, reducing the window of vulnerability.
2. Improved User Experience: Users remain logged in for longer periods without frequent interruptions for re-authentication.
3. Granular Control: Allows better control over session management and invalidation.

Please assign this issue to me. I am eager to contribute to this project and would like to implement this enhancement.

[github-actions[bot]]

Hi there! Thanks for opening this issue. We appreciate your contribution to this open-source project. We aim to respond or assign your issue as soon as possible.