Closed shawty closed 3 years ago
RWOverdijk
commented
6 years ago It's odd that get a new token with every response. But no, the way it works is that it fetches a new token when the current one expires. There's more on that in the docs I believe. If not, it would be nice to write a better "theory" on it.
shawty
commented
6 years ago That's why I was asking, the docs don't really delve into the process flows very much.
They mention refresh tokens, and show some basic config, followed by an NodeJs express handler to process the request coming back.
That's pretty good if your using node and just want to copy/paste it, but I'm using DotNetCore, and there will be others using other languages too, so maybe some flow descriptions could help.
If someone wants to describe the flows to me, I might even be able to turn them into diagrams for you.
shawty
commented
6 years ago So trying to work through the info on the refresh tokens page, my auth config is set up like so.
var authConfig = {
baseUrl: "/",
loginUrl: '/login',
logoutUrl: '/logout',
refreshTokenUrl: '/spuggy',
autoUpdateToken: true,
useRefreshToken: true,
loginRedirect: '#/home',
tokenName: 'token',
authHeader: 'Authorization',
getRefreshTokenFromResponse: () => {
console.log("REFRESH");
},
getAccessTokenFromResponse: () => {
console.log("ACCESS");
}
}
export default authConfig;And with the auto update and refresh options turned on, aurelia auth just doesn't seem to do anything.
Iv'e been reading through the source code, and looking at it, there are exceptions to be thrown, if for example you enable useRefresh but don't send a refresh token back.
I tried this, not sending a refresh back, and no exception, no nothing, it's as if the fact I'd turned refresh on was just ignored.
When my token timed out, it just logged me out and dropped me back to the Login screen, I saw no attempt of it trying to call out to '/spuggy' (Just a test name so I can spot it :-) ) to find a new token, and neither of the functions specified in the config where called either.
completely stumped here, according to: https://aurelia-authentication.spoonx.org/refresh_token.html what I'm doing should be working.
RWOverdijk
commented
6 years ago Could you reformat your code snippets? It's simple to do:
```js // code here ```
Giving you:
// code hereAs to your question, are you sure it's expiring? Did you check localstorage to see if your refresh token is there?
shawty
commented
6 years ago Ahh, so that's how you do code comments... :-) For the record, the editor helps you mess them up.
Anyway.
Yes, My Token absolutely is definitely expiring.
but as I noted, there's more to it than that.
The source for auth, clearly has a check in it, so that if you attempt to use refresh tokens, but do not supply a refresh token, it should throw an exception and tell you that you did not supply a refresh token.
If I try to force this by not supplying a refresh token, the auth package does not throw the exception, as I believe it should.
If I do send the refresh token, and use my auth config as shown above, nothing happens, my token times out, and I get redirected to the login, but I do not see the auth package trying to ask for a new token, or complaining that no refresh is there when I try to test it without a refresh.
To me it looks as if any settings made for refresh are just being ignored and not acted upon.
RWOverdijk
commented
6 years ago @shawty I'm pretty sure this works, it's being used in production successfully. I currently don't have a ton of time to look, but what I can do is share my config:
export default {
'aurelia-authentication': {
// Which endpoint (in `./app.js`) to use for auth requests.
endpoint: 'auth',
// Which endpoints to patch with the JWT (Authorization header).
configureEndpoints: ['auth', 'api'],
// The base url used for all authentication related requests, including provider.url below.
// This appends to the httpClient/endpoint base url (in `./app.js`), it does not override it.
baseUrl: 'auth',
// The API endpoint to which login requests are sent
loginUrl: '/login',
// The API endpoint to which signup requests are sent
signupUrl: '/signup',
// Redirect to this url after successfully logging in
loginRedirect: '/',
// The API endpoint used in profile requests (inc. `find/get` and `update`)
profileUrl: '/me',
logoutRedirect: '/',
refreshTokenUrl: '/refresh-token',
useRefreshToken: true
}
};Ok, I'll go back and take another look.
Hi Guys,
Not a bug report, but this is the only way I know to get a message in here :-)
In the app I'm currently working on, Iv'e been asked to implement the auth token in a sliding door fashion.
When the user first logs in, the JWT coming back has a default expiry time of 30 minutes after the log in occurred.
Every time there is a call tot he API back end, the expiry time stored against the user is changed to 30 minutes from that request.
What I need to do is to make sure that the token that the front end has is updated with the new time when this happens.
My understanding from reading the docs is that:
If I set the "auto Refresh" flag to true, and set the "access token name" to the name of a token in the payload, AU Auth will watch out for that property in any response that comes back through AU AUth using the AU Fetch client, and if it see's it, it will automatically update the token stored in the browser store.
Is this correct?
Or is there some other way I have to do it?
Cheers
Shawty