webdevsimplified / jwt-authentication Goto Github PK

Hey Kyle, I have followed your tutorial on YouTube and also implemented some logic like you using JWT but in Java with the Framework Spring-Boot.
I am working on a mobile app like Twitter and I would like to know if refresh-tokens should have an expiration time or are there valid forever ?

Hey Kyle.

I've came across your tutorial whilst researching for JWT Authentication.
Quite useful. I'm implementing a prototype myself for a project and I'm a bit confused still.

Lets assume I have a website (example.com) which handles my front-end code. It is a React application that relies on another website for an API (lets say some-api.com)

I've managed to:

• Create a GraphQL Database of Users and Tokens (not in your tutorial)
• I've created the /register route and the /login route, both working fine, and withe the later returning the accessToken and the refreshToken
• I've also implemented the /token route to remove the old token from GraphQL list of valid tokens, and I have it generating a new accessToken and refreshToken similar to what I done in the /login

I Guess my questions are two.

1. When should I use the accessToken vs the refreshToken
2. How can I validate a "secure" react router "route" somewhere on my website (example.com)
   Do I need to create a new method that checks if the current accessToken is valid? or should I be checking against the refreshToken? That's what's making it confusing for me.

accessToken's are meant to expire quickly right? So should I be using the accessToken to every api request I need (like /user-profile or whatever) or should I pass the refreshToken?

Thanks for the insight.
Kind regards
Andre