search

cornflourblue / aspnet-core-3-signup-verification-api

ASP.NET Core 3.1 - Boilerplate API with Email Sign Up, Verification, Authentication & Forgot Password
https://jasonwatmore.com/post/2020/07/06/aspnet-core-3-boilerplate-api-with-email-sign-up-verification-authentication-forgot-password
MIT License
226 stars 93 forks source link

Issue #2 - Replace Refresh Token Only If It Is Inactive #4

Closed twinmind closed 3 years ago

twinmind commented 3 years ago

Long lived JWT token needs to be replaced only if is inactive.

twinmind commented 3 years ago

related to this issue https://github.com/cornflourblue/aspnet-core-3-signup-verification-api/issues/2

cornflourblue commented 3 years ago

This behaviour is intentional for increased security, the technique is called refresh token rotation, there's more info at this article - https://auth0.com/docs/tokens/concepts/refresh-token-rotation

Also I don't think the changes in the PR will work because the /refresh-token route will return an error if the refresh token is not active: https://github.com/cornflourblue/aspnet-core-3-signup-verification-api/blob/9774ab83b61de187909dabe1f53ffc3ff6bb24b6/Services/AccountService.cs#L289