Refresh token #30
Refresh token #30
Conversation
|
Seems that the issue is coming form gatsby-plugin-node but can point why... Can you assist? |
| @@ -1 +1 @@ | |||
| v12.18.3 | |||
| v14.15.0 | |||
There was a problem hiding this comment.
nice this looks like the new LTS for node but now you should also make sure the Dockerfile and github workflows are updated to also use this node version
you could update your github actions to automatically use the value in the nvmrc
or it looks like nvm was added to the github action virtual environments so you could also just update your github actions to use nvm directly
The idea is that when a user logs in a refresh token is saved to the DB and deleted when he logs out. On the front end if a response comes back with a status code 404 and if there's a expired token it will retrieve the refresh token from the DB and if there's a refresh token hit a refresh route to get a new token. (Not sure where exactly on the front end, maybe in the I did find several tutorials on how to implement the refresh token on the backend but could't find anything good on the client side... |
| "gatsby": "2.24.52", | ||
| "gatsby": "2.25.2", | ||
| "gatsby-plugin-create-client-paths": "2.3.11", | ||
| "gatsby-plugin-nodejs": "0.7.0", | ||
| "gatsby-plugin-nodejs": "0.6.4", |
There was a problem hiding this comment.
i think the build issue you were seeing was caused by other issues and these downgrades can probably be reverted
| }, | ||
| { useFindAndModify: false, | ||
| new: true }, | ||
| ); | ||
|
|
||
| return res.json({ token, info }); |
There was a problem hiding this comment.
The idea is that when a user logs in a refresh token is saved to the DB and deleted when he logs out. On the front end if a response comes back with a status code 404 and if there's a expired token it will retrieve the refresh token from the DB and if there's a refresh token hit a refresh route to get a new token.
it might help to get a complete picture to update the logout route to delete the refresh token in this iteration?
also it looks like this implementation doesnt pass the refresh token back to the user but i read a few articles on this and it looks like they all suggest passing the refresh token back to the user. and then when the user needs to get a fresh token, it passes that refresh token in the request. otherwise anyone could get a refreshed token without auth?
also it would help if you also implemented the route for refreshing the token in this iteration (assuming you're implementing refresh in that way) so we can make sure refreshing a token automatically works. it's probably good tho to ya at least defer the frontend implementation for this to a separate PR
| const refreshToken = jwt.sign( | ||
| { user: body }, | ||
| process.env.REFRESH_TOKEN_SECRET, | ||
| ); |
There was a problem hiding this comment.
this refresh token should probably have some expiration like 24 hours or something
|
Just to let you know that I couldn't do much over the weekend. We got hit by a major hurricane (cat. 4) on Wednesday and it rained over a foot in 4days. We're pretty much without power and internet till today. Will get back to it ASAP. |
|
wow that's crazy hope you guys are doing ok. thanks for the update |
|
Yeah, we had some intense moments, but we're fine. I spoke yesterday with a friend who is also a developer and he recommended the following approach:
What do you think? |
|
ya i think something along those lines should work but only thing is how is the refresh route authenticated? doesn't the refresh token need to be given to the client? wouldn't the flow need to be something like:
|
Where in gatsby would the the logic for |
|
there's a couple ways you could do this:
|
|
I will close this PR and start fresh. |
Backend implementation to attribute and save a refresh token to the DB.
The idea is to save a refresh token when a user logs in that can be checked and used to emit a new token if the user makes a request with an expired token.