Make jwt_refresh work with active_sessions when allowing expired JWTs for refresh

jeremyevans / rodauth

Ruby's Most Advanced Authentication Framework

http://rodauth.jeremyevans.net

MIT License

1.69k stars 95 forks source link

Make jwt_refresh work with active_sessions when allowing expired JWTs for refresh #165

Closed renchap closed 3 years ago

renchap commented 3 years ago

If rodauth.check_active_session is called before r.rodauth then @jwt_refresh_route is not yet set and the JWT is decoded with :verify_expiration: true, which fails even if we want to allow expired access tokens to be provided for refresh.

As discussed on IRC this seems to be the best way to detect if the request is for the refresh route while not beeing in the route handler itself.

The added test is failing without this patch, and green with it.

jeremyevans commented 3 years ago

This looks good. I'll try merging on Monday.

jeremyevans commented 3 years ago

Cherry-picked at 1843f9b70162e938dedc2bdbcdfe8fc1ca5962bb