Light

gitdagray / refresh_token_rotation Goto Github PK

View Code? Open in Web Editor NEW

104.0 7.0 38.0 286 KB

JavaScript 95.65% CSS 1.06% HTML 3.29%

refresh_token_rotation's Introduction

"Node JS Tutorial Series - Refresh Token Rotation and Reuse Detection"

✅ Check out my YouTube Channel with all of my tutorials.

Deploy by clicking the button above Remember to add your .env variables in the deployed version

Description:

This repository shares the code applied during the Youtube tutorial. The tutorial could be considered a bonus chapter for the Node.js & Express for Beginners Playlist on my channel.

YouTube Tutorial for this repository.

I suggest completing my 8 hour JavaScript course tutorial video if you are new to Javascript.

Academic Honesty

DO NOT COPY FOR AN ASSIGNMENT - Avoid plagiargism and adhere to the spirit of this Academic Honesty Policy.

refresh_token_rotation's People

Contributors

Stargazers

Watchers

refresh_token_rotation's Issues

TypeError: newRefreshTokenArray is not iterable

Hello. I am trying to manually test the auth route (http://localhost:3500/auth) using Thunder Client. and I'm getting the following error:

POST /auth
cookie available at login: {}
/refresh_token_rotation/controllers/authController.js:67
        foundUser.refreshToken = [...newRefreshTokenArray, newRefreshToken];
                                     ^

TypeError: newRefreshTokenArray is not iterable
    at handleLogin (/refresh_token_rotation/controllers/authController.js:67:38)

Node.js v18.12.1
[nodemon] app crashed - waiting for file changes before starting...

It appears to be happening here:

        // Saving refreshToken with current user
        foundUser.refreshToken = [...newRefreshTokenArray, newRefreshToken];
        const result = await foundUser.save();
        console.log(result);
        console.log(roles);

refresh token behavior

Hello dear Dave, In the authController.js you set cookie like
res.cookie('jwt', newRefreshToken, { httpOnly: true, secure: true, sameSite: 'None', maxAge: 24 * 60 * 60 * 1000 });
But you don't specify Path, so refresh token will be send on every http request. Isn't this a problem? Doesn't this increase the risk that the token will be stolen?

And if you did it on purpose, why not add to verifyJWT an update of the access token if it expired. It would be better for the user, because he would update his token silently, and would not get any error

P.S. I am a beginner in backend, sorry if this question is silly

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.