jeremyevans
commented
3 years ago Does your app set prefix '/api/v1/auth' in your Rodauth configuration? It should if your Rodauth routes are dispatched from /app/v1/auth. I think I can make a change so things will work even with an incorrect prefix, but please see if setting prefix in your configuration fixes the issue.
https://github.com/jeremyevans/rodauth/blob/1a42415968d299a9bfb54707bd71d8258c737067/lib/rodauth/features/jwt_refresh.rb#L140
In our app,
request.path == "/api/v1/auth/jwt-refresh"&jwt_refresh_path == "/jwt-refresh"so attempting to refresh with an expired token fails this check.