Closed thombruce closed 4 years ago
thombruce
commented
4 years ago Interesting phenomenon from the latest master build...
Despite verifying IAT, old tokens remain functional. See: https://github.com/jwt/ruby-jwt/blob/044120c590a40c334fff83f6bd0baf0ae0241f51/lib/jwt/verify.rb#L44 The JWT gem actually returns if there is no IAT present... and the same is true for EXP.
Not an issue, I'll just invalidate existing Sessions with a destroy_all, but it is interesting and worth noting.
thombruce
commented
4 years ago Do we actually need a refresh token in the database? What does an additional secure token provide over just the JWT with ID?
The thing to be concerned about is... invalidating the token before expiry. This is essential, but also it's just a case of destroying the existing Session instance and creating a new one. It doesn't mean that a secure token is needed over just an ID. In fact, Refresh Token Rotation would allow you to keep a user signed in indefinitely while also enhancing the security of the refresh token by invalidating session with every request of a new auth token.
related to #24 and PR #25 and should be merged alongside
Refresh tokens will provide a way for the consuming application to request a new JWT auth token.
They will also be a JWT containing...
They will have a default EXP of 14 days, expressed in seconds, so...
Time.now.to_i + 14 * 24 * 3600, right?Anytime until expiry, the refresh token should be allowed to be submitted in order to request a new JWT or Authentication Token.