Closed kigawas closed 8 months ago
I don't think it's necessary to add this as a own function the LoginManager class. IMO refresh tokens should be accessible on it's own url path (e.g. /auth/refresh
), if a new refresh token function would be added, it would not show up as a authentication route in the API docs if I'm not mistaken.
Furthermore I think the implementation of refresh tokens is project dependant and the expiry time etc. may differ from project to project. So we would probably end up with a function with the same siganture as LoginManager.create_access_token
@kigawas with this approach, does simply using Depends(manager) in api routes work, or you need to use Security(manager, scopes=[required scopes here]) for each of the api? What is the exact thing you have to follow for other apis, and for /refresh api (I assume that would be different)?
@gurbaaz27
You need Security
:
get_payload_by_access = Security(LOGIN_MANAGER, scopes=[ACCESS_TOKEN_SCOPE])
get_payload_by_refresh = Security(LOGIN_MANAGER, scopes=[REFRESH_TOKEN_SCOPE])
And in your API, for example:
from .depends import get_payload_by_access, get_payload_by_refresh
@router.post("/refresh")
async def _(
payload: dict = get_payload_by_refresh,
):
return create_access_token(manager, payload)
@router.delete("/logout")
async def _(
redis: Redis = Depends(get_redis),
payload: dict = get_payload_by_access,
):
await delete_session(redis, payload["user_id"])
@kigawas Thanks man, appreciate the quick response!
My current solution is:
It'll be better to add some handy functions to get refresh token :)