Closed notflip closed 6 years ago
mcnamee
commented
6 years ago Hi @notflip I believe the issue is that you can't refresh an already expired token - it needs to be refreshed while it's still valid.
In other systems, a refresh token is also provided alongside the auth token, and you use that to refresh (refresh tokens also expire but are instead long-lived).
notflip
commented
6 years ago Aha, makes sense. What is a good solution using this package then? Maybe just removing the tokeb on the client when it's expired? So a relogin is triggered
mcnamee
commented
6 years ago Hi @notflip Yeah for sure - not the greatest, but I've been extending the life of the token and refreshing when it's within a certain time from expiry (requires you to decode the token client side) and when it's expired, trigger a re-authentication.
It works, but it would be ideal to have a refresh token :)
mcnamee
commented
6 years ago @notflip I've read up on the JWT Auth repo and there's actually the ability to set a refresh_ttl (/config/jwt.php) (the length of time (in minutes) that the token can be refreshed).
Super helpful, as you can set a longer TTL that it can be refreshed vs auth validity. TIL :)
notflip
commented
6 years ago So you would set it to a very high number so it doesn't have to be refreshed? I'm in doubt as to what security and best-practice the best amount of time is.
mcnamee
commented
6 years ago @notflip There's some comments in here which may help answer you question.
francescomalatesta
commented
6 years ago @mcnamee thanks for the assistance :)
I'm trying to refresh the token from React, using the (get) /api/refresh route but it's giving me the following error
{"error":{"message":"Token has expired","status_code":401}}I am sending the current (expired) token using
{headers: {'Authorization': Bearer ${token}}}Any idea what's happening here?