TheKinrar
commented
1 year ago What do you mean by refreshing? Being able to keep the current token active for longer, or generating a new token when the user logs in?
Open m4rk055 opened 1 year ago
TheKinrar
commented
1 year ago What do you mean by refreshing? Being able to keep the current token active for longer, or generating a new token when the user logs in?
m4rk055
commented
1 year ago By refreshing, I meant being able to get a new token without having to log out, but I don't currently know a good protocol to achieve it (there is a concept of Refresh token in OAuth but probably not what we need).
Setting tokens to expire and generating new ones on login is a good start.
TheKinrar
commented
1 year ago Well we can just do it the same way session work (refreshing tokens as long as they're still in use), either automatically or with a special endpoint to be called by the frontend.
We probably should allow many tokens per user instead of one, so that we can generate a new one on login and let older ones expire without logging out other sessions
m4rk055
commented
1 year ago Design wise, using a special endpoint to get a new token should be clearer. If we make tokens into JWTs, handling multiple sessions is easier.
TheKinrar
commented
1 year ago The issue with JWTs here could be invalidation. JWTs are supposed to be short because you cannot revoke a single one, and I like the idea that changing your password logs out all sessions (which is the case right now). This could be fixed though, for example if the backend uses one signing key per account.
Another option is to simply have a tokens table in the DB obviously.
Implement expiration and refreshing of the tokens.