Refresh token backend or frontend

[yarapolana]

I have been asked to implement refresh token logic, but I am unsure how to begin.

I am using v5, and how it was explained was

• the user's token expires, and when they are logged in,
• when they do another request the server returns a 401
• in between that request some form of middleware with refresh token logic kicks in
• request continues without the user ever logging out

I know how to do it in the front end, I used react native in a different project, with axios, and axios has a intercept option that can do this.

My question is, is this best practice, is there something else I should do in the backend?

Just open for suggestions and discussions.

[thetutlage]

Short answer

Refresh tokens is mainly a concept originated from JWT tokens. AdonisJS doesn't use JWT and it uses database backed tokens, hence there is no need to have refresh tokens at all.

Long answer

JWT tokens are self contained and never saved to any backend storage. This is how the flow looks like

• User provides the credentials
• Backend issues a JWT token using a secret key and doesn't save it anywhere
• On authenticated request, backend can verify the token by using the same secret key

The entire flow doesn't need any database or any other kind of storage.

But this creates a huge security gap, since the backend always accepts the token until it can be verified using the secret key

• What if the token gets stolen?
• What if the app has vulnerability and was leaking tokens?

Because of this, the industry recommends giving smaller expiry to your JWT tokens. It is usually as small as 5mins. Now, if the tokens get leaked, they can be used for next 5mins only.

But this hampers the UX of the application, as now the user has to login every 5mins. So industry came up with another idea of refresh tokens. Refresh tokens are saved in the database on the backend and are usually long lived or atleast don't expiry in minutes.

Now when the JWT expires, the client can use the refresh token to generate a new JWT token. Also, if the refresh token gets leaked. As the app owner, you just have to delete them from your database and the tokens are now useless.

• AdonisJS at the first place uses database backed tokens called Opaque tokens.
• They have longer expiry just like refresh tokens
• And under your control, as they are saved inside a backend storage.

JWTs are over rated and not required in 99% of the cases.

Finally, I recommend reading the following posts and if have some spare time, also watch the video

http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
http://cryto.net/%7Ejoepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/
https://www.youtube.com/watch?v=67mezK3NzpU

[yarapolana]

This is exactly what I was looking for, you explained so well as always.
Thank you for taking the time to write this.

[osueke-christian]

Apt and on-point.
@thetutlage beyond the developer docs, are there any other suggested reads, documentation, specifications, or even videos for someone who wishes to understand the core and internals of Andonis for the sake of contributing to the community by building open-source packages and extensions?

[krunaldodiya]

How to make expiry works instead of total 30 mins from login, idle session of 30 mins ?