0

I have created node.js backend. On Login i am sending a jwt token. For user experience i don't want them to re-login but instead get their tokens refreshed, which i have set to expire in 4 hours.

However i am not getting a good lead on how to do this effectively. My idea is to provide a button in client side, by clicking on which user can get their tokens refreshed. Assuming a rest call that i can make from client side, i need help in its implementation. Appreciate it.

    if (response) {
                bcrypt.compare(req.body.password, response.password, (error, result) => {
                    if (result) {
                        const token = jwt.sign(
                            {
                                email: response.email,
                                userId: response._id
                            },
                            process.env.JWT_KEY,
                            {
                                expiresIn: '4h'
                            });
                        return res.status(200).json({
                            message: 'Auth Successful! User Found. ',
                            token
                        })
                    } else {
                        return res.status(404).json({
                            message: 'Auth Failed! User Not found'
                        })
                    }
                }
TrickOrTreat
  • 821
  • 1
  • 9
  • 23
  • what about whenever you hit `401` , you trigger the token refresh api? – Saikat Chakrabortty Aug 09 '19 at 05:45
  • @saikatchakrabortty thats right, its not the final draft. However i would appreciated any answer for my question. And i dont think so it would be wise to refresh token on hitting 401. Its nothing but a breach, as that user would have landed on 401 on providing invalid token. – TrickOrTreat Aug 09 '19 at 05:46
  • so you can refresh your token only if the old one is not expired yet or can always refresh? – AZ_ Aug 09 '19 at 07:40
  • Possible duplicate of [JWT (JSON Web Token) automatic prolongation of expiration](https://stackoverflow.com/questions/26739167/jwt-json-web-token-automatic-prolongation-of-expiration) – AZ_ Aug 09 '19 at 07:44

1 Answers1

0

You would need two tokens:

  1. Refresh Token (will be saved in db)
  2. Access Token (your JWT which will expire quickly e.g. 10 mins)

Refresh token typically does not expire quickly. However, there may be a challenge on how to secure the refresh token.

you also need to change the refresh token in the database every time the user refreshed their token / logs in.

You also need to store expiry_date of your access token (you can make it a response from your login api).

Then, in your front-end, you can store those tokens in localStorage / sessionStorage depending on your security requirements.

Then, each API call would check the expiry date that you've set. And if it reaches a certain threshold (e.g. 5 mins before expiry_date), you'd call the refresh token API.

This is a method that I've used. However, it may not considered as a best practice.

kkesley
  • 3,258
  • 1
  • 28
  • 55