I've decided to use short-lived (15 minute) JWT tokens and long lived (7 days) refresh tokens.The JWT Tokens just have the users id (sub) and their roles in them.The refresh token is stored in my PostgresQL database with the following structureidtokenuserIdexpiryDateipPrimary KeyUnique Token (randomly generated, crypto.generateBytes)Foreign Key to the "users" tableHas to be less than the current dateIP of the clientThe flow is something like this:- User logs in and gets a new access token + refresh token- The userId column is unique meaning that only one refresh token per user (only one active session, think Snapchat)- The accessToken can be regenerated by sending the refreshAccessToken(token: string) mutation to the server- When a user requests a protected resource, JWT is verified using express-jwt- If a user requests a specific protected resource, Then the userId from the token (sub) is used to access the resource that corresponds to that user, so say if a user wants to get their data. Instead of going user(id: $id) // id being the userId the query is just user and the user fetched from the database has the same ID as the one in the token; so that way only users can request their own objectsHowever, having it set up like this I've ran into some issues/questions:How can I check if the access token is valid on the client? Do I have to send a request to the server every X seconds and generate a new access token to use for further requests; or should I just send the refresh token along with each requestIs there a need to hash the "token" field on the "RefreshToken" table?Should I store the jwt tokens in reds so they can be easily blacklisted/revoked or is there a need for thisIs my way of checking if the user has access to a certain specific resource good or is it vulnerable to attacks?Thanks to anybody who can help me out!
Submitted June 01, 2019 at 02:40PM by jesster2k10
No comments:
Post a Comment