refresh_expiration not returned by /token/refresh endpoint inspite of update to cookie when 'JWT_AUTH_RETURN_EXPIRATION': True and 'JWT_AUTH_HTTPONLY': True,

Question

refresh_expiration not returned by /token/refresh endpoint inspite of update to cookie when 'JWT_AUTH_RETURN_EXPIRATION': True and 'JWT_AUTH_HTTPONLY': True,

Routhinator opened this issue 9 months ago · comments

With the following settings:

    'USE_JWT': True,
    'JWT_AUTH_COOKIE': 'site-access-token',
    'JWT_AUTH_REFRESH_COOKIE': 'site-refresh-token',
    'JWT_AUTH_HTTPONLY': True,
    'JWT_AUTH_RETURN_EXPIRATION': True,

The refresh_expiration time is not returned when the /token/refresh/ endpoint is hit even though the refresh token expiration is updated in the HTTPONLY cookie. It is returned from the login endpoint however.

Without the return from the refresh endpoint, a javascript client can only see the access_expiration. For now I am calculating the refresh_expiration by adding 23 hours and 59 minutes to the access_expiration as a workaround, but it would be ideal to have this returned to avoid having to calculate it.

Chris Routh · Answer 1 · Mon Nov 20 2023 05:02:45 GMT+0800 (China Standard Time)

I'm not sure what I had going on in local, but on an actual deployment I'm not seeing the refresh token updated, and I also see the code would return the expiration if it was being set - closing this as something being off with my testing.