Refresh Token Jsonwebtoken

Question

I am using jsonwebtoken in NodeJs API application for authenticating user in my API application. The flow that I have setup is as follows:

1) The user registers through signup API and the access token is generated using the following:

var jwt = require('jsonwebtoken'); var token = jwt.sign(user, _conf.authentication.superSecret, {     expiresIn: 1440 // I intend to keep it short. }); 

2) The token expires in 24 hours for example. This token is returned to the client mobile application to use as header in all the subsequent API requests.

I want to know how do I work around with refresh token for jwt. Currently I don't have a mechanism for refreshing token. Hence if the token expires in 24 hours I want the client (mobile app) to be able to request a new access token. Thanks in advance.

Answer 1

I had same problem in a project.

1) I created the refresh token and returned it when user signed in (with the jsonwebtoken). I saved the refresh token with the user.

2) When client send a request with the expired token, server returns 401.

3) I implemented a new path to refresh the token. It receives the refresh token and the user as param and returns a new token (jsonwebtoken).

4) (optional) You can implement a mechanism for invalidating a refresh token, in case someone stole it

I based my implementation in this post, really good snippets:

Refresh token in JWT (Node.js implementation)

Hope it helps