daffl
commented
4 years ago Yes this is intended for security reasons. Otherwise an attacker that managed to steal your token could get indefinite access to the application. Also see #960
Closed deskoh closed 4 years ago
daffl
commented
4 years ago Yes this is intended for security reasons. Otherwise an attacker that managed to steal your token could get indefinite access to the application. Also see #960
In v3, new tokens are are created by sending POST request to the
/authenticationendpoint. However, this no longer holds in v4 isjwtstrategy is used.This is likely due to: https://github.com/feathersjs/feathers/blob/2d95bfd7a7cf064ef95925649b45b3ebecdb86c4/packages/authentication/src/service.ts#L101-L103.
Is this behaviour intended? Consequently, a browser client with existing token will not get a new token with extended expiry if the browser is refreshed.