I would like to know if what I've done so far is a sound way of authenticating/renewing the token and if there are any flaws or vulnerabilities that I should be aware of as I tried to limit database interaction to nil. Here goes.
NB: SSL will be implemented in production
Bounty awarded to @Valdas as he was the only one who actually answered
The API returns a short-lived token (JWT), which expires in 15 minutes, and in HTTP cookies, the refresh token expires in 7 days. JWT is currently used for accessing secure ways on API, whereas a refresh token generates another new JWT access token when it expires or even before.
Yes, you need a separate service that issues and refreshes token. It won't update the expiration of the existing JWT Token. A token is simply JSON field-value pairs that are base64 encoded. So changing the data, changes the output.
To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.
JSON web tokens (JWTs) provide a method of authenticating requests that's convenient, compact, and secure. More often than not, Angular apps will include them in their data flows.
There is no need to loop token expiration checking. I use https://github.com/auth0/angular-jwt as a library for my Angular projects, which provides a way to refresh token just before the HTTP request is fired, simplifying auth mechanism.
Also, you could remove token from request if its loading a template (ends with .html), but this is just a personal preference.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With