泣いオオカミー ≛ 🏆 ≛
TTCTheo's Typesafe Cult
•Created by 泣いオオカミー ≛ 🏆 ≛ on 2/6/2025 in #questions
Question about refresh /access token
Hi, for a middleware, whats the best approach to renewing access/refresh token?
1) Is is better to check if access token is expired in middleware and if so, check refresh token and its valid simply pass the new access/fresh via http cooki
2) Or use client/server side interaction- middleware only checks for access token. If request fails, the client send a request to /refresh and this route validates the refresh token, if valid it sends new refresh/access token to client. Client reattempts original request to server.
28 replies
TTCTheo's Typesafe Cult
•Created by 泣いオオカミー ≛ 🏆 ≛ on 2/3/2025 in #questions
Theo recent auth video on JWT
Hi, the timestamp is 5:03 on theo recent video on different auth options.
Im confused, currently my understanding is refresh tokens only ever get invalidated if the user sign outs or it expires. This is to force the user to sign in if refresh tokens only ever expires for security purposes
But in theo video, he actually creates a refresh token whenever the acess token needs to be created. This results in the user to always be signed in unless they havent touched the app longer than refresh token expiration
The only difference between the two is the user experience as far as i can see
The user will never sign out with the solution shown in theo video
Whereas using same refresh token until it expires forces user to sign in again for security purposes
Which is the most preferred and secure way? Or are both methods acceptable?
23 replies