-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Small question about refresh tokens #3
Comments
Hi, glad it's helping you! I had fun putting this together and pleased to see others benefitting also. It's been a little while so apologies for any mistakes in recollection. Yes, I think you're correct in your analysis. I seem to recall settling on this approach because I liked the UX polish While I find this to create a nice UX for people who access the app at least once a week, if it's important in your app to avoid this coupling -- to more deliberately control when Hope this helps and good luck getting your 😴 pattern back on track ⚡ |
Thanks for the response! Our project at the moment doesn't use Apollo-client in favour of a slightly more lightweight solution, but perhaps this might still change. While looking around, I stumbled across this page in the Authlete docs. I am not familiar with Authlete at all, but they did mention three different ways of handling refresh tokens. I quote:
I guess which one is right is, as always, a trade-off between security, stakes, risks, use case and UX. I think I might go with the last option for out project, which I think is just a case of reading Anyways, enough of my rambling. Thanks for the example and the response! |
Hey! Thanks for the wonderful examples, they really were an eye opener for something I've lost some nights sleep over.
one thing I can't really get my head around is the
sendRefreshToken()
call in both theinstallCookieJWT
middleware andrefreshTokenPlugin
schema extension.sendRefreshToken()
is of course needed inrefreshTokenPlugin
, as otherwist the refresh token wouldn't be set at all, but do I read correctly it's set in the former as well?More to the point, am I correct in the assumption that you extend the expiry of the refresh-token every time a new access-token is set?
Thanks in advance!
The text was updated successfully, but these errors were encountered: