DEV Community

JWT Authentication with Access Tokens & Refresh Tokens In Node JS

CyberWolves on April 20, 2022

What's up guys. We all know most important feature in every application is authentication. To make that authentication much more secured and make b...

Read full post

Farzin • Jan 30 '23 • Edited

NOT SECURE AT ALL.
You are sending Refresh token with response and you are expecting the refresh token from body? You need to understand that this method is basically the worst way of doing it. So many things are wrong with your codes, but most important thing:
You should send the refresh token as httpOnly secure cookie with proper sameSite.

res.cookie('jwt', newRefreshToken, {
    httpOnly: true, 
    secure: true,
    sameSite: 'Strict',  // or 'Lax', it depends
    maxAge: 604800000,  // 7 days
});

And when you want to get a new access token, inside your refresh controller you get the refresh token from cookie (req.cookies.jwt) and then verify it.

Dear author, you can't just write some article about this topics if you are not professional at it.

volodymyr-matselyukh • Aug 31 '23

Totally agree with Farzin. In your solution refresh token decreases security of the system? Refresh token can be compromised with the same probability as access token (because they both reside in the same place - body) and at the same time refresh token has a way longer lifetime. That's absolutely decreases security.

Mavericx • Jan 1

clearly, you @farzindev and @volodymyrmatselyukh see lots of problems in this implementation. why don't you guys write better implementations addressing those issues?

still, @cyberwolves 's article is a good reference for those unaware of how to handle such cases.

Mark-Dave-S • Apr 25 '23

chill man :v

Sébastien Loix • May 28 '23

He is right. Security is a serious topic... only experts in the field should be teaching it with actual best practices.

Mark-Dave-S • May 28 '23

yeah I know man, you gotta chill or this site will become the next stackoverflow

Mohamad El Bohsaly • Jan 4 '23

Thank you @cyberwolves for your comprehensive documentation.
Let me get this straight:

Login or Sign up generates a new access token accompanied with a refresh token
Upon firing protected API calls, I use the access token inside the verifyToken middleware function. In case access token got expired, I use the refresh token instead and regenerate an access token
Logging out removes both tokens

Hermes-fire • Sep 13 '22

Can you make an article about the frontend part using react

Dalibor Čarapić • Jun 15 '22

If I understood correctly you can not be logged in on multiple devices because there is only one refresh token per user?

Hong Phuc • Aug 8 '22

It's a different aspect, refreshToken only helps you secure the application more properly compare to using 1 accessToken. If you want to restrict one user per device, you need to save users' info whenever they log in and confront it with newer info.

Arya Aniket • Mar 27 '23

what is the purpure of refresh Token, when you have to have only accessToken and you store refresh token

Q D • Jul 16

Refresh token is used to obtain a new access token (short lived) when it is expired instead of using user/password. Refresh token has a longer life time.