notiz-dev / nestjs-prisma-starter

Starter template for NestJS 😻 includes GraphQL with Prisma Client, Passport-JWT authentication, Swagger Api and Docker
MIT License
2.37k stars 336 forks source link

Question: When to invoke refreshToken() endpoint from the client? #463

Open cloudcompute opened 2 years ago

cloudcompute commented 2 years ago

I have a question relating to JWT, could you pl. answer?

There is a mutation named, refreshToken() which is exposed as an endpoint. In the documentation, there is no mention about when to make a call to this endpoint? Over there, it is just stated that send the token in the Authorization header.

Kindly make things clear by writing the generic code flow at client side. Is there any need to use a library like jwt-decode there?

Michalphs commented 2 years ago

Hi, I think you should use this endpoint with refresh token as an argument when your access token has expired. As far as I know, refresh tokens are tokens with a longer lifetime.

cloudcompute commented 2 years ago

Hi

Yes, Refresh tokens have a much longer lifetime than the access tokens.

Well, your answer is correct that we should use this endpoint when an access token gets expired. In order to do so, we need a library like jwt-decode to extract the expiry time from the access token and check it against the current time.

But this is not mentioned in the nestjs-prisma-starter's Readme file. All it says, you just need to send your access token in the header as follows: Authorization: `Bearer ${token}

In addition to jwt-decode, I think we need to implement few other things, for example, skip including the Authorization header for certain endpoints, like login, register, and probably invoking the refreshToken iteself.

@marcjulian Could you please tell us what exactly we need to at the client end?