Why do we use accessToken and refreshToken? #1243

antoniopresto · 2022-11-17T01:19:47Z

antoniopresto
Nov 17, 2022

The accessToken validation uses ignoreExpiration: true here.

We only check if the session saved in the DB is "valid": true.
Could we just save the session id in the refreshToken and ignore the sessionToken?

antoniopresto · 2022-11-17T01:57:53Z

antoniopresto
Nov 17, 2022
Author

One advantage I thought of is that the refreshToken is not saved in the DB, so if someone gains unauthorized access to an independent sessions DB, it would be more difficult to log in on behalf of someone else

Hmm, this can be protected with one single token too

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Why do we use accessToken and refreshToken? #1243

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Why do we use accessToken and refreshToken? #1243

Uh oh!

antoniopresto Nov 17, 2022

Replies: 1 comment

Uh oh!

Uh oh!

antoniopresto Nov 17, 2022 Author

antoniopresto
Nov 17, 2022

antoniopresto
Nov 17, 2022
Author