Refresh Method expects a validated user?

[jamesrusso]

Describe the bug

The refresh method expects a validated user, but the reason to call refresh is that the token is expired (or nearing expiration).

            //Get Authenticated user
            $authUser  = Auth::guard('api')->user();

            //Get User Data
            $user = $client->getUser($authUser[$paramUsername]);

$authUser will be null here, if we are using Headers guard on the API and the token is expired (But refresh token is good).

[jamesrusso]

Further, the username isn't even required as part of the Cognito API. The Refresh token is all that is needed in the call, it seems that the user is only needed if boolClientSecret is true?

[amitdhongde]

@jamesrusso Thank you for reaching out. In the API-based approach (stateless), we need some way to authenticate the user. If the auth_token is invalid (refresh requested after token invalidates), there is no way to authenticate that the request is coming from a legitimate user. If you need it for your project, you can customize it.

[jamesrusso]

@jamesrusso Thank you for reaching out. In the API-based approach (stateless), we need some way to authenticate the user. If the auth_token is invalid (refresh requested after token invalidates), there is no way to authenticate that the request is coming from a legitimate user. If you need it for your project, you can customize it.

Refresh should not be an authenticated operation, just as it is not with the cognito API. By using this approach it removes all benefits of refresh tokens as now you only have the lifetime of the access token to make refresh requests.

The request is guaranteed to be coming from a legitimate user because they are holding the refresh token.

[TapanDerasari]

@amitdhongde ,

I think @jamesrusso is right here, the purpose of refresh token is to generate auth_token. Could you please re-consider this one?