refresh_token_rotation icon indicating copy to clipboard operation
refresh_token_rotation copied to clipboard

Published 20 hours ago verified publisher icon gitdagray

refresh token behavior

Open shortSparrow opened this issue 1 year ago • 0 comments

Hello dear Dave, In the authController.js you set cookie like res.cookie('jwt', newRefreshToken, { httpOnly: true, secure: true, sameSite: 'None', maxAge: 24 * 60 * 60 * 1000 }); But you don't specify Path, so refresh token will be send on every http request. Isn't this a problem? Doesn't this increase the risk that the token will be stolen?

And if you did it on purpose, why not add to verifyJWT an update of the access token if it expired. It would be better for the user, because he would update his token silently, and would not get any error

P.S. I am a beginner in backend, sorry if this question is silly

shortSparrow avatar Dec 21 '23 15:12 shortSparrow