Reauthnticating a user doesn't increate socket ttl

[MarcGodard]

In V5, the socket disconnects when the JWT expires.

I tried the following (made the JWT expire after 1 minute:

• reauthenticate the connection every 30 seconds
• authenticated with jwt strategy every 30 seconds (and store new token)
• once disconnected reauthnticate using the updated token

nothing seems to work, the idea is to have the token renew and keep the connection (or seamlessly reconnect)

I cannot figure out how to accomplish this, or find any documentation on how to do this.

What am I missing? The idea is to create a system where JWT don't live long, but as long as the user is using the system, I want to update the jwt before it expires so the user stays connected.

[daffl]

Reauthenticating with the JWT strategy does not create a new token but just gives you back the existing one. To create a new one, a refresh token (references in https://github.com/feathersjs/feathers/issues/1337) would be for.

It used to create a new token back in v3 but it was actually a security issue because if someone gets a hold of the token they can stay authenticated forever by generating new ones.

[MarcGodard]

@daffl that talks about oauth tokens, I am not using oauth, just email and password (local). Does feathers offer a way to do a refresh token with local strategy? Is there anything more up-to-date than a github issue from 2015?

[daffl]

What's the requirement for refreshing the token every 30 seconds? In general it's probably a good idea to make the user log in with their credentials once in a (daily, weekly, monthly) while in which case you could just set the JWT expiration time to that.

[MarcGodard]

The 30 seconds was just to make tests. The idea is to have the token last 30 minutes, and sign the user out if they walk away and leave the system logged in, but if they keep making calls, refresh the token at 25 minutes or more (depending when they make a call next). This is how all the banking sites do this, many at 5 to 10 minutes lived tokens.

The alternative is to make the token last longer, and force log them out. But this means no security benefits as there will be a long lived token in the wild.

[daffl]

A refresh token essentially has the same issue which is why they need to be revokable in which case it's probably easier to make the normal (longer lived) JWTs revokable.