What happens to JWT refresh token that is yet to expire in a node application?

Question

I have a blog application I am building. I used node.js, expressjs, mongodb and reactjs. This is how I implemented the jwt system in the app:

When a user logs-in, the user generates accessToken and a refresh_Token. The accessToken will expire in 15 minutes while the refresh_Token expires in 30 days. I also stored the refresh_Token in redis database.

I created a route for the refresh token so that the user can generate another accessToken without logging out. Now, at the point of regenerating a new accessToken via the refresh route, the user also generates a new refresh_Token. I read that I should do that. My question is this: what happens to the previous refresh_Tokens each time a new accessToken and refresh_Token are generated? Since the refresh_Token route is called every 15 minutes to generate new accessToken and refresh_Token before it expires in 30 days? Are they kept somehwere? Using the redis.set(), the previous refresh_Tokens are always replaced with the new ones. So, I can't see the previous token in the redis database. Where are they kept for the 30 days before they expire and becomes invalid?

Answer 1

JWTs are self-sufficient, so generally you don't have any influence on already issued token from your server-side (the issuer). Refresh token will remain valid until it's expiration date is valid if no other logic is implemented on server side (for example, black lists).

Consider this article before working with JWTs: https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens (it mentions the cons but the pros as well, just scroll a bit :) )

Also this question may be useful: JWT (JSON Web Token) automatic prolongation of expiration