How to handle refresh token / reauthorization best practice?

[patwalls]

Not necessarily an issue or bug, but how would I go about issuing a refresh token?

Sorry if there is a naive question, but if the token expires after 24 hours, I would have to require the user to reauthorize every day, right?

Should I extend the expiration for longer than 24 hours, or send some sort of refresh token alongside the auth response so that the frontend can re-auth behind the scenes?

Hopefully my question makes sense. Thanks for your help - and great tutorial :)

Pat

[batmanbury]

I'm also curious about this, having just implemented the tutorial's basic structure in a Nativescript app on Rails. I think an excellent followup to the article might include re-authorization, and also token storage best practices. For example, after authenticating and receiving the JWT, is it best to store that on the client side in either session or local storage, or a cookie? Do we encrypt it? Etc...

[patwalls]

What I ended up doing for my app is just increased the expiration time to be more like 30 days, and ask the user to re login if I get a 401 Unauthorized, if that helps at all!