Newly generated token after Refresh call isn't used with User request about vue-auth HOT 16 CLOSED

Bump:
Ok I was looking at the requests made to https://api-demo.websanova.com/api/v1 webserver from the demo and the https://api-demo.websanova.com/api/v1/auth/user request actually sends the old token, that was previously generated. After successfully getting the User, which I don't understand how, when the token is invalid now since the on app load we refresh it, then all the later requests use the newly generated token.

I was looking at the routes in the laravel-api-demo and you use the same middleware on the same routes as me, how does the JWT middleware let you use the old token to get the users.

I tried overwriting tokenExpired with a return false, but you cant refresh the token now (at least not automatically). I could check when the token expires, but I cant access the $auth.ready() and other helpful functions inside the tokenExpired overwrite. If I could access them, I could decode the token and check for expiration and if so, return an appropriate boolean to get a new token or not.

After digging into your source, you have really put allot of thought into making it polymorphic and usable on other platforms as well, congrats on that!

from vue-auth.

Not sure what your question is really? Is it API or about the plugin?

There are many ways to access token or create your own auth scheme. Did you
read the docs? There is a token method there.

On Oct 7, 2016 3:26 PM, "Dobromir Hristov" [email protected] wrote:

Bump:
Ok I was looking at the requests made to https://api-demo.websanova.
com/api/v1 and the https://api-demo.websanova.com/api/v1/auth/user
requests actually sends the old token, that was previously generated. After
successfully getting the User, which I don't understand how, when the token
is invalid now since the on app load we refresh it, then all the later
requests use the newly generated token.

I was looking at the routes in the laravel-api-demo and you use the same
middleware on the same routes, how does the JWT middleware let you use the
old token to get the users.

I tried overwriting tokenExpired with a return false, but you cant
refresh the token now (at least not automatically). I could check when the
token expires, but I cant access the $auth.ready() and other helpful
functions inside the tokenExpired overwrite. If I could access them, I
could decode the token and check for expiration and if so, return an
appropriate boolean to get a new token or not.

After digging into your source, you have really put allot of thought into
making it polymorphic and usable on other platforms as well, congrats on
that!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#33 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABkcy6nnuLfI9EankSTii5oKqD_1IrUYks5qxgJJgaJpZM4KO0Zy
.

from vue-auth.

Ok, most important one, why does the User request use the old token after it was just refreshed. This pretty much breaks my whole app and the usage of the plugin, which is a shame. I thought I made it clear, maybe its me.

from vue-auth.

Well, yes, the requests are firing simultaneously. Normally tokens don't
expire immediately. If you need it sequentially the refresh can be disabled.

On Oct 10, 2016 4:58 PM, "Dobromir Hristov" [email protected]
wrote:

Ok, most important one, why does the User request use the old token after
it was just refreshed. This pretty much breaks my whole app and the usage
of the plugin, which is a shame. I thought I made it clear, maybe its me.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#33 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABkcy-jBNzdSxrW2PDzC1j7iKh4SMIiHks5qygw1gaJpZM4KO0Zy
.

from vue-auth.

The moment a token is refreshed, requests with the old token are considered invalid (token blacklists and so on), returning an error, stopping the whole app, leaving a blank screen.

Any way, I see this is not in your priority list so I will stop commenting on the issue.

from vue-auth.

It depends on the scheme. If you are using jwt the expired token is still
actually valid for another minute or so after expiry. This in case you make
many requests at the same time (given the token could potentially change
anytime). If you are doing a single token scheme via database (for example)
it's different since there is strictly one token. In this case one would
probably disable the refresh as it would not be necessary. However in this
case you would always run the risk of an expired token.

I'm not sure what is best practice for refreshing tokens in the latter case
hence I use jwt to accommodate this scenario and it seems to work well.

On Oct 10, 2016 6:50 PM, "Dobromir Hristov" [email protected]
wrote:

The moment a token is refreshed, requests with the old token are
considered invalid (token blacklists and so on), returning an error,
stopping the whole app, leaving a blank screen.

Any way, I see this is not in your priority list so I will stop commenting
on the issue.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#33 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABkcy24izKLeA6puFtPByHa4FxW1eeYYks5qyiZ1gaJpZM4KO0Zy
.

from vue-auth.

This is strange, You are absolutely right about the many requests at once, token shouldn't get invalidated on the spot, but I don't get that grace period on the JWT tokens... They are invalid immediately.
I am using "tymon/jwt-auth": "^0.5.9" as you are on the Laravel end of things.
Have you set anything special in the .env file?

from vue-auth.

I just installed your repo and all works properly. The second requests gets through with the old token. The only difference is that you are running 5.2 and I am on 5.1 Laravel. I will upgrade today and see if that has to do with anything, though it should be pretty much the same. Will keep you updated.

from vue-auth.

I've had the same issue, I was requesting the user data before the auth was fully initiated

`

from vue-auth.

I just checked my local .env and realized I also have:

JWT_BLACKLIST_ENABLED=false

Maybe that can work for you also.

from vue-auth.

Yeah, pretty much not blacklisting the tokens gives you the ability to use an old token. The new version of Tymons plugin will have a blacklist_grace period.

from vue-auth.

Ah, sweet, that would make more sense.

On Wed, Oct 12, 2016 at 12:06 PM, Dobromir Hristov <[email protected]

wrote:

Yeah, pretty much not blacklisting the tokens gives you the ability to use
an old token. The new version of Tymons plugin will have a blacklist_grace
period.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#33 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABkcy7H8fxmGEZfRFqg9-x5SX9Y1dqaEks5qzGrqgaJpZM4KO0Zy
.

from vue-auth.

Ok, so I guess this is resolved then?

from vue-auth.

Well, if there is no way to make the refresh request delay the others until its ready, then I guess its fine the way it is atm. Token expiration checks could be implemented, where you decode the token and check its expiration date and issue a refresh there, but thats up to you to decide whether you want to implement it or not. Not all tokens have the same expiration key name, so there would be some sort of config requirement and so on. Here is how I do it at the moment, its not great, and I couldnt figure out how to access methods like $auth.ready() and so on, but at least I don't issue a refresh every time I enter.

tokenExpired: (data) => {
    let token = localStorage.getItem('default-auth-token')
    if (token) {
      let now = Date.now() / 1000 | 0
      return now > jwtDecode(token).exp
    }
    return false
  }

from vue-auth.

Ya, so the refresh was purposefully left out since I believe it's best
practice to just fetch a new token each time the app loads. I actually had
the expiration check before but purposefully left it out since it was quite
a lot if extra code to add for base64 decode et all.

Again, if you check the docs, you can easily disable refresh or override it
with your own decode and check. You can also add your own authentication
scheme quite easily. There is just a request and response fields that need
to be set.

On Oct 14, 2016 2:21 PM, "Dobromir Hristov" [email protected]
wrote:

Well, if there is no way to make the refresh request delay the others
until its ready, then I guess its fine the way it is atm. Token expiration
checks could be implemented, where you decode the token and check its
expiration date and issue a refresh there, but thats up to you to decide
whether you want to implement it or not. Not all tokens have the same
expiration key name, so there would be some sort of config requirement and
so on. Here is how I do it at the moment, its not great, and I couldnt
figure out how to access methods like $auth.ready() and so on, but at least
I don't issue a refresh every time I enter.

tokenExpired: (data) => {
let token = localStorage.getItem('default-auth-token')
if (token) {
let now = Date.now() / 1000 | 0
return now > jwtDecode(token).exp
}
return false
}

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#33 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABkcyyT69KXSmgNY4SoyWVzZEQVgcrikks5qzy1zgaJpZM4KO0Zy
.

from vue-auth.

Yep, thats what I did in the example above.

from vue-auth.