Refresh token suggestions | NestJS | Page 1

quasi crag Sep 18, 2023, 12:08 PM

#

Hello,

I am looking a suggestion of approach for refresh token.

1- is it necessary to store in the db to compare ?

2.- What is the "best way" to implement in balance simple vs secure this procedure?

Thank you in advance.

high flare Sep 18, 2023, 6:38 PM

#

1 - only if you are controlling user sessions with the token.
2 - I don't understand the question completely. What isn't simple. What isn't secure?

quasi crag Sep 18, 2023, 6:41 PM

#

1 . I am having a control when the token is expiring, in that case, when the user from the app front send a request, 401 is sent and logout.
2- Simple/ easy to implement and basic security.

high flare Sep 18, 2023, 7:04 PM

#

1 - You can't control when a token expires as long as it has a TTL in the future, it is valid. What you can control is removing the token from a white list or adding the token to a black list. When the token is validated, it is also validated against either being on the white list and good or on the black list and bad.

2 - JWT implementation isn't very hard, once you understand what is needed to do it right. When you know how to do it right, then it is also secure. I'm still not sure what else to tell you here.

#

1 - session management is usually a whitelist.

#Refresh token suggestions