In index.js at Line 29 of branch - https://github.com/benawad/graphql-express-template/tree/8_refresh_token:
const addUser = async (req, res, next) => {
const token = req.headers['x-token'];
if (token) {
try {
const { user } = jwt.verify(token, SECRET);
req.user = user;
} catch (err) {
const refreshToken = req.headers['x-refresh-token'];
Here , consider a scenario if the tokens were compromised and one of them , lets say access token is now tampered , it will fail the verification and hence will enter the catch block and will generate a pair of new token.
There should be an explicit check if the JWT verification fails and only if it is due to expiration of token then generate new pair of tokens.
In index.js at Line 29 of branch - https://github.com/benawad/graphql-express-template/tree/8_refresh_token: const addUser = async (req, res, next) => { const token = req.headers['x-token']; if (token) { try { const { user } = jwt.verify(token, SECRET); req.user = user; } catch (err) { const refreshToken = req.headers['x-refresh-token'];
Here , consider a scenario if the tokens were compromised and one of them , lets say access token is now tampered , it will fail the verification and hence will enter the catch block and will generate a pair of new token. There should be an explicit check if the JWT verification fails and only if it is due to expiration of token then generate new pair of tokens.