search

Wiredcraft / test-backend

39 stars 76 forks source link

Additional test - Obed #65

Closed oseifrimpong closed 3 years ago

oseifrimpong commented 3 years ago

Refresh Mechanism

I have added redis for token management. All tokens have a ttl of 2 hours.

Basically, when the refresh endpoint is called, the refresh_token will be verified and deleted from redis together with it's access_token.

A new set of tokens will be generated and saved in redis.

Logout

Accepts access token, verifies it and removes it from redis.

To Improve

I was not able to implement the points above due to work and time constraint.

xavierchow commented 3 years ago

Thanks for your PR, I will start to review it soon.

xavierchow commented 3 years ago

Two further questions,

Refresh token

when the refresh endpoint is called

when should the client(frontend application) call the refresh endpoint?

Logout

Accepts access token, verifies it and removes it from redis.

I see you remove the tokens from the redis when logging out, but I feel like both tokens are still available with consequent API calls, correct me if I'm wrong.

oseifrimpong commented 3 years ago

Two further questions,

Refresh token

when the refresh endpoint is called

when should the client(frontend application) call the refresh endpoint?

The solution for this would be to have an interceptor to check the existence of a token in Redis and returning a 401 when token is not found in Redis.

xavierchow commented 3 years ago

Thanks, that's good enough for our evaluation, closing this PR.

Will get back to you soon, thank you for your time and effort.