If rodauth.check_active_session is called before r.rodauth then @jwt_refresh_route is not yet set and the JWT is decoded with :verify_expiration: true, which fails even if we want to allow expired access tokens to be provided for refresh.
As discussed on IRC this seems to be the best way to detect if the request is for the refresh route while not beeing in the route handler itself.
The added test is failing without this patch, and green with it.
If
rodauth.check_active_session
is called beforer.rodauth
then@jwt_refresh_route
is not yet set and the JWT is decoded with:verify_expiration: true
, which fails even if we want to allow expired access tokens to be provided for refresh.As discussed on IRC this seems to be the best way to detect if the request is for the refresh route while not beeing in the route handler itself.
The added test is failing without this patch, and green with it.