search

tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.31k stars 1.54k forks source link

Dealing with the refresh in api #1826

Open RaulCorreia opened 5 years ago

RaulCorreia commented 5 years ago

Subject of the issue

I made my class exactly the same as the documentation, but to check if this need to update the token I do this:

$payload    = auth('api')->payload();
$now        = Carbon::now();
$expira     = Carbon::createFromFormat('Y-m-d H:i:s', gmdate("Y-m-d H:i:s", $payload('exp')));
$dif        = $expira->diffInMinutes($now);

if($dif <= 2880){ //2Days
    $refresh = true;
}

the token expiration time is 4 days and when it is 2 days to expire I send a message to the client to refresh the token, the client calls the refresh function that returns the following:

return $this->respondWithToken(auth('api')->refresh());

But I get the following error Token has expired and can no longer be refreshed

I just followed the documentation, what should I do or what am I doing wrong?

Your environment

Q A
Bug? no
New Feature? no
Framework Laravel
Framework version 5.8.*
Package version dev-develop
PHP version 7.2.19

Steps to reproduce

After the connection, check if the token has already passed the validity stipulated by me, if you spend 2 days of the total of 4 days send a flag informing the client to give refresh in the token. The client calls the api refresh method

Expected behaviour

The token should be updated

Actual behaviour

an exception is fired Token has expired and can no longer be refreshed

philbenoit-ibsa commented 5 years ago

@RaulCorreia Have you updated the token expiry (ttl) within your config>jwt.php file?

RaulCorreia commented 5 years ago

@RaulCorreia Have you updated the token expiry (ttl) within your config>jwt.php file?

Yes, I put it for 4 days to expire, and I order to update every 2 days

RaulCorreia commented 5 years ago

no one has an idea? i still have this problem

ssi-anik commented 4 years ago

As you're calling the auth('api') method, the existing payload gets validated before reaching the next statement. To let the user refresh their tokens, you must define JWT_REFRESH_TTL value higher than the JWT_TTL. Otherwise, it won't work.

When refreshing the token, the following code gets executed, and the refresh ttl is set by the abstract service provider. The processing order is below

https://github.com/tymondesigns/jwt-auth/blob/b927137cd5bd4d2f5d48a1ca71bc85006b99dbae/src/Providers/AbstractServiceProvider.php#L300-L307

https://github.com/tymondesigns/jwt-auth/blob/b927137cd5bd4d2f5d48a1ca71bc85006b99dbae/src/Validators/PayloadValidator.php#L47-L52

https://github.com/tymondesigns/jwt-auth/blob/b927137cd5bd4d2f5d48a1ca71bc85006b99dbae/src/Validators/PayloadValidator.php#L95-L98

https://github.com/tymondesigns/jwt-auth/blob/b927137cd5bd4d2f5d48a1ca71bc85006b99dbae/src/Claims/IssuedAt.php#L56-L61

So you must have to set the JWT_REFRESH_TTL higher than the JWT_TTL.

stale[bot] commented 3 years ago

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.