Question about refresh /access token
Hi, for a middleware, whats the best approach to renewing access/refresh token?
1) Is is better to check if access token is expired in middleware and if so, check refresh token and its valid simply pass the new access/fresh via http cooki
2) Or use client/server side interaction- middleware only checks for access token. If request fails, the client send a request to /refresh and this route validates the refresh token, if valid it sends new refresh/access token to client. Client reattempts original request to server.
9 Replies
I ask this because Theo uses the 1st method
I often use 2nd approach
yeah, ive been told by other senior devs they do this
but theo uses the first in his own apps
it is just a personal situation so either options are fine depending on cirumstances?
- For server-heavy applications with seamless UX, Option 1 (Middleware Handling Refresh) is preferable- For server-heavy applications with seamless UX, first prefered. Because middleware handle token verify
- For large-scale or stateless APIs where performance is critical, 2nd preferred. Because frontend side handle it. But in this case, client side may have some delay
So the best approach is to combine both ways
how so?
if its okay to ask
Like middleware check token and if invalid send 401 error, and client side let user auto logout, re-login
For the large-scale and robust product, http cookie only is weak or need to combine both
But for the simple application and if prefer user experience on the application, first way is good. Without any client side refresh, reauthorization can be done.
alright thanks, yeah il stick with the first since its since its a simple saas app im making as a hobby project
i appreciate those insights
the option for combining both seems complex since that defeats the purpose of refresh tokens especially if access tokens are short lived
with combine both, you can archive using refresh token usage
the same like 2nd
exactly
But rather than reauth involvement of client side, it will be done smoothly with error response handling.
if middleware return access token invalid 401 error, then client will request to obtain new access token using refresh token (new route)
from middleway, you can check both tokens automatically. So even access token invalid, if refresh token is valid, new access token will be generated automatically and continue request.
Only client side will be stuck when both token are expired or invalid
thanks, i appreciate the help a lot! Yeah it seems very similar to method 2, im not sure if there are any advantages of combining both methods compared to using the first or second solution.
I could be wrong, but it seem closer to #2
thanks for the help though, my question is answered.
!solved