Add posibility to refresh expired access token

Question

Add posibility to refresh expired access token

Bilanuk opened this issue 2 years ago · comments

Problem:
If access jwt token expired we can't refresh token no more. So there is no point in making refresh token with much longer lifespan.
My idea:
How about just using refresh token? I think there is no point in blacklisting them then.

My code example:
Bilanuk@b66920d

Gokul Murali · Answer 1 · Mon Nov 28 2022 14:56:27 GMT+0800 (China Standard Time)

@Bilanuk We can refresh expired access token using a valid refresh token (Ref: https://github.com/Gokul595/api_guard#refresh-access-token). Do you have custom routes for refreshing token, can you share your routes.rb file code?

BiLaNuK · Answer 2 · Mon Nov 28 2022 18:28:24 GMT+0800 (China Standard Time)

@Bilanuk We can refresh expired access token using a valid refresh token (Ref: https://github.com/Gokul595/api_guard#refresh-access-token). Do you have custom routes for refreshing token, can you share your routes.rb file code?
Here is my routes:

Rails.application.routes.draw do 
   scope :api, defaults: {format: :json} do 
     scope :auth do 
       api_guard_routes for: "users", controller: { 
         registration:   "users/registration", 
         authentication: "users/authentication", 
         passwords:      "users/passwords", 
         tokens:         "users/tokens" 
       } 
     end 
  
     get "/user-info", to: "users#show" # just for test purpose 
   end 
 end

But in tokens#create we do have before_action :authenticate_resource that triggers jwt access_token decoding. But since our token is expired we can't decode it and get 401 response.
I did all steps for configuring refresh tokens from Readme, but still I don't understand part of expired access token.
Or maybe I am doing something wrong?

Gokul Murali · Answer 3 · Mon Nov 28 2022 18:59:48 GMT+0800 (China Standard Time)

There is a condition to skip validating the expiry when refreshing the token Ref: https://github.com/Gokul595/api_guard/blob/master/lib/api_guard/jwt_auth/authentication.rb#L44. May be the controller_name didn't return expected value there due to customisation. Can you please share the users/tokens controller code for my reference to debug?

BiLaNuK · Answer 4 · Wed Nov 30 2022 01:46:43 GMT+0800 (China Standard Time)

There is a condition to skip validating the expiry when refreshing the token Ref: https://github.com/Gokul595/api_guard/blob/master/lib/api_guard/jwt_auth/authentication.rb#L44. May be the controller_name didn't return expected value there due to customisation. Can you please share the users/tokens controller code for my reference to debug?

Thanks! I did debugging by myself and now refreshing logic seems to be working correctly with expired access token. Guess it was naming problem in my controller or smth so it was trying to verify expired jwt token.