TL;DR - Noob trying to learn about authentication without using a third party because I want to learn it first and not just jump into something I know nothing about and slap it in the application. What's the flow of authentication using JWTs and Refresh Tokens for log in, sign up, logout, without having to sign in every time like Discord.authenticate.js gistI'm really sorry for the long post... I know you're probably thinking "why are you trying to do your own authentication when you have third parties like Auth0?" Well I want to learn more about authentication and how it works before using a third party service. If I can do it on my own first, I will understand a lot more when I want to implement an authentication service for a real application.So I'm working on an authentication server for a chat application in Node that has the basics: log in, sign up, send verification code, confirm verification code, and logout. I got pretty much all of it working using JWTs, but then I thought that it would be nice to not make the user have to login every time a lot like Discord. So I looked into refresh tokens and wanted to implement that in my auth server. I think I have the flow down but like I said I'm learning this from very little knowledge. Everything has come from blogs, articles, and asking smarter people than I am such as you fine fellows.Anyway, I just wanted to get an idea on the flow of authentication. I got deep in the code last night and got so lost I'm pretty much starting over from the refresh token perspective. I want to do it right this time and make sure I have all the "gotchas" accounted for. So here is the flow that I think it should be:Login -> create JWT (expires in 15 mins) and Refresh Token (expires in 2 weeks) to send to the client both in the cookies (so it's sent with every request automagically) -> save the refresh token in the database -> go to secure route - let's say /profile - where a middleware called authenticate will be run to make sure the user has a valid, non-expired token -> if the token is expired but the user has a valid refresh token then create a new JWT, clear the cookies, add the new JWT and Refresh Token to cookies and send back to the client.Logout -> clear the cookies and remove the refresh token from the databaseWhat am I missing? I know I didn't go into great detail on the process I have but that's because this post is long enough, but the code is linked above if you want to check it out. I know it's ugly, but you understand now why I'm starting over.Thank you for reading if you made it this far, and I really appreciate your help.
Submitted February 26, 2019 at 03:07AM by Clink50
No comments:
Post a Comment