Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting new token using jwt strategy #1687

Closed
deskoh opened this issue Nov 15, 2019 · 1 comment
Closed

Getting new token using jwt strategy #1687

deskoh opened this issue Nov 15, 2019 · 1 comment

Comments

@deskoh
Copy link
Contributor

deskoh commented Nov 15, 2019

In v3, new tokens are are created by sending POST request to the /authentication endpoint. However, this no longer holds in v4 is jwt strategy is used.

This is likely due to:

feathers/packages/authentication/src/service.ts

Lines 101 to 103 in 2d95bfd

if (authResult.accessToken) {
return authResult;
}
.

Is this behaviour intended? Consequently, a browser client with existing token will not get a new token with extended expiry if the browser is refreshed.
@daffl
Copy link
Member

daffl commented Nov 15, 2019

Yes this is intended for security reasons. Otherwise an attacker that managed to steal your token could get indefinite access to the application. Also see #960

@daffl daffl closed this as completed Nov 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daffl @deskoh