Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with refresh token #1

Open
Jamison1 opened this issue Sep 14, 2023 · 3 comments
Open

Issues with refresh token #1

Jamison1 opened this issue Sep 14, 2023 · 3 comments

Comments

@Jamison1
Copy link

Great job on the template.

On refresh I noticed three issues:

  1. Although it successfully returns a new access token, it doesn't persist the new access token in the session which can also cause the refresh backend endpoint to be called multiple times, generating a new access token each time.

May be related to this: Tokens rotation does not persist the new token

Potential fix: Handling session updates & Updating the session

  1. The backend passes a field for expiresIn to determine the expiration of the access token. Why not just read the expiration directly from the jwt payload exp field?

Example in the jwt callback:

const jwtAccessPayload = JSON.parse(atob(access_token.split('.')[1]))
const AccessExpired = Date.now() >= jwtAccessPayload.exp * 1000
if (!AccessExpired) return token

If concerns about time difference, can also reduce jwt payload exp time given vs Date.now() by a few seconds

Can use the same logic to check refresh token expiration and that leads me to the third issue.

  1. No handling of the Refresh Token expiration?

Several ways to handle:
Redirect to login and update the session with the new jwt access and refresh tokens upon success.
Redirect to login and upon success redirect to previous page user was accessing.
Redirect to logout - bad UX if user was in the middle of changing data requiring an unexpired access and refresh token.

Middleware could be a solution for some of the issues as well - example middleware
@kisstamasj
Copy link

i have the same issue:
When the access token expired it refreshed automatically, but the new token doesent persist. I store the refresh token for the user in the database and every time I get new access token I also refresh the refresh token, so for me It won't work, because the new refresh token doesen't stay in the cookie, and when I try to get a new access token, I try to get a new one with an old refresh token.
I hope it is understandable.

@kapitalistn
Copy link

Try to add following to

refreshToken

function

`
let lastRefreshTime = 0;
let refreshRateLimit = 10000;

async function refreshToken(token: JWT): Promise {
const currentTime = new Date().getTime();

if (currentTime - lastRefreshTime < refreshRateLimit) {
console.log("Rate limit hit, not refreshing token");
return token;
}

lastRefreshTime = currentTime;

const res = await fetch(process.env.NEXT_PUBLIC_API_URL + "/auth/refresh", {
method: "POST",
headers: {
authorization: Refresh ${token.backendTokens.refreshToken},
},
});
console.log("refreshed");

const response = await res.json();

return {
...token,
backendTokens: response,
};
}`

@Zakariaels
Copy link

Any updates on this issue ?
@vahid-nejad

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Jamison1 @Zakariaels @kisstamasj @kapitalistn