DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Discussion on: API Authentication Workflow with JWT and Refresh Tokens

Collapse
 
gokayokyay profile image
GΓΆkay Okyay

Hey, it's a very good point!
The refresh tokens can be very long-lived JWTs but in this case you'll want to handle refresh token creation/expiration differently than I've mentioned above. Maybe you can create a logic something like that users need to post their expired refresh tokens with jwts. Than you check them both and verify that they belong to the same user and create another refresh token and jwt. Hopefully I could answer your question :)

Collapse
 
kritish58 profile image
Rishi58 • Edited on

thank you for your response,

1.store refreshToken=>token in redis db in server (if we can store in redis server will that cache remain alive till the refresh_token remains alive -like for 2-3 days or even a week)

2.whenever server recieves an expired token, it verfies the expired token from that mapping in no.1 and sends a new token to the client

3.I can store refreshToken in a cookie with better security like {sameSite} {httpOnly} {secured} and send it to server in every request from client

please correct me if this understanding is wrong, thank you

Collapse
 
farshadahmadi profile image
Farshad Ahmadi Ghohandizi

If access and refresh tokens are gonna be saved to (Redis) DB, should they be hashed? I assume they should.