Open dunatron opened 4 years ago
dunatron
commented
4 years ago If a cookie has expired, the browser does not send that particular cookie to the server with the page request; instead, the expired cookie is deleted. https://superuser.com/questions/356265/what-do-browsers-do-with-expired-cookies
benawad
commented
4 years ago which branch?
dunatron
commented
4 years ago dunatron
commented
4 years ago sorry here https://github.com/benawad/graphql-express-template/blob/23_cookies/index.js try setting the cookie age for like 2 minutes e.g.
const JWT_TOKEN_MAX_AGE = 1000 * 60 * 2; // 2 minutes
module.exports.JWT_TOKEN_MAX_AGE = JWT_TOKEN_MAX_AGE;I have tested the logic in my own branch, and once the token expires its not sent. I believe this is different from browser to browser. https://github.com/dunatron/Re_Houser/blob/apollo-3.0/server/src/index.js
perhaps this needs re-thought?
benawad
commented
4 years ago I set the expiration to the same as the refresh token, so I think it should work in that case.
But I think it's better to rework the logic to check if the refresh token is there even if the token is not.
dunatron
commented
4 years ago I think the issue would still remain the same and once expired it too can potentially no longer be sent. I guess there is not too much you can do under those circumstances, no token, then re-auth. Your logic is actually fine as long as the browser/client does not delete the cookie once expired
on L 33 of index.js you have logic like this if (!token) { return next(); }
If the token were to expire in the client, the client will not send it along with the request meaning there is no token and refreshTokens would never be hit?