Authentication: Is refresh token never expired?

[thangcqUET]

First, thank you for your repo. In code base, I saw that: When access token was expired, client will send refresh-tokens API to server and receive both new access token and new refresh token as well as remove old refresh token in DB. The problem is new refresh token has new expire time instead of old expire time. That make refresh token is never expired. I don't know if you did it on purpose? Is any mechanism behind it?

[chintanshahts]

@thangcqUET As we are removing the refresh token from the database and returning the new token, If anyone tries with the old refresh token, it will throw some error. Because the token is valid but does not exist in the database.

[thangcqUET]

@chintanshahts So when is refresh token expired? Or It never is expired because the expiration is always renewed every time a refresh token is created. And therefore, we don't need an expiration for refresh token? Is it right?

[chintanshahts]

@thangcqUET Suppose we have set the refresh token expire time to 1 day(i.e. 24 hours) and access token expire time to 1 hour. If user don't refresh the token for 24 hours from the creation time, the refresh token will be expired.

[thangcqUET]

Gotcha. I missed this case. Thank you 😊