Avoid creating new refresh token when retrieving new access token
galexw opened this issue · comments
Currently refreshing an access token with a refresh token will create a new refresh token.
# frozen_string_literal: true
require_dependency 'api_guard/application_controller'
module ApiGuard
class TokensController < ApplicationController
before_action :authenticate_resource, only: [:create]
before_action :find_refresh_token, only: [:create]
def create
create_token_and_set_header(current_resource, resource_name)
@refresh_token.destroy
blacklist_token if ApiGuard.blacklist_token_after_refreshing
render_success(message: I18n.t('api_guard.access_token.refreshed'))
end
This means if a user has their refresh token leaked, the refresh token can be used forever.
Correct me if I'm wrong, but the correct behavior should be just letting the refresh tokens expire.
Refreshing an access token should not renew the refresh token.
@galexw The refresh token have default expiry of 2 weeks and you can configure this in the initializer. This information was missing in the README earlier, I have added it now.
Ref:
- https://github.com/Gokul595/api_guard#refresh-token-validity
- https://github.com/Gokul595/api_guard#token-refreshing
Refreshing an access token should not renew the refresh token.
We need to renew the refresh token and send the new one in the response to keep the session active in the client side. You can control the expiry as mentioned above.