Closed oseifrimpong closed 3 years ago
Thanks for your PR, I will start to review it soon.
Two further questions,
when the refresh endpoint is called
when should the client(frontend application) call the refresh endpoint?
Accepts access token, verifies it and removes it from redis.
I see you remove the tokens from the redis when logging out, but I feel like both tokens are still available with consequent API calls, correct me if I'm wrong.
Two further questions,
Refresh token
when the refresh endpoint is called
when should the client(frontend application) call the refresh endpoint?
The client should call the refresh endpoint when the access_token expires.
Logout
Accepts access token, verifies it and removes it from redis.
I see you remove the tokens from the redis when logging out, but I feel like both tokens are still available with consequent API calls, correct me if I'm wrong.
Yes, you are right the tokens will be valid until it expires in Redis. I noticed this flaw and that is why I stated token invalidation as part of things to improve. Thought about the solution below but didn't have the time to implement it.
The solution for this would be to have an interceptor to check the existence of a token in Redis and returning a 401
when token is not found in Redis.
Thanks, that's good enough for our evaluation, closing this PR.
Will get back to you soon, thank you for your time and effort.
Refresh Mechanism
I have added redis for token management. All tokens have a ttl of 2 hours.
Basically, when the
refresh
endpoint is called, therefresh_token
will be verified and deleted fromredis
together with it'saccess_token
.A new set of tokens will be generated and saved in redis.
Logout
Accepts access token, verifies it and removes it from redis.
To Improve
I was not able to implement the points above due to work and time constraint.