I am working in Laravel as API backend and implemented JWT Auth for token
After researching in JWT workflow, what I understood is:
1) JWT token should have the least expiry date (TTL: 30 minutes).
2) JWT refresh token expiry date should not be greater than 1 week.
The flow from what I understood is:
1) The user logs in and receives a JWT token.
2) For every request, it should provide the JWT token to the system.
3) If JWT token is expired, the system checks the JWT token and provides it with the refresh token
What I did not understand is:
1) What to do if the refresh token is expired? Do the user again sign in?
2) Should the mobile replace the expired token to refresh token and provide the currently saved refresh token every time it requests to the system?
3) If the unauthorized person has the expired token, he/she can still access the person's information since the system always provides it with refresh token and the loop continues.
4) Do I have to store the refresh token in Laravel app?
I extracted the JWT token check inside VerifyJWTToken.php middleware
class VerifyJWTToken extends BaseMiddleware
{
public function handle($request, Closure $next)
{
try {
if (!$user = JWTAuth::parseToken()->authenticate()) {
return response()->json([
'status' => 'false',
'data' => null,
'message' => 'User not found'
]);
}
} catch (TokenExpiredException $e) {
try {
$refreshed = JWTAuth::refresh(JWTAuth::getToken());
$user = JWTAuth::setToken($refreshed)->toUser();
$request->merge(['refreshed_token'=> $refreshed])
} catch (JWTException $e) {
return response()->json([
'status' => 'false',
'data' => null,
'message' => 'Token Invalid'
]);
}
} catch (JWTException $e) {
return response()->json([
'status' => 'false',
'data' => null,
'message' => 'Token Not Provided'
]);
}
auth()->login($user);
return $next($request);
}
}
