Refresh is being guarded by a token check, returns "invalid.

[raf202]

Trying to Refresh a token returns "Invalid token": Fixed when I remove the refresh rout from the api.auth middleware group:

 $api->group([
        'middleware' => 'api.auth',
    ], function ($api) {
        $api->get('/', [
            'uses' => 'App\Http\Controllers\APIController@getIndex',
            'as' => 'api.index'
        ]);
        $api->get('/auth/user', [
            'uses' => 'App\Http\Controllers\Auth\AuthController@getUser',
            'as' => 'api.auth.user'
        ]);
        $api->patch('/auth/refresh', [
            'uses' => 'App\Http\Controllers\Auth\AuthController@patchRefresh',
            'as' => 'api.auth.refresh'
        ]); // REMOVED THIS FROM THE GROUP AND LEFT IT UNPROTECTED, OR ELSE TOKEN WOULD NOT BE REFRESHED
        $api->delete('/auth/invalidate', [
            'uses' => 'App\Http\Controllers\Auth\AuthController@deleteInvalidate',
            'as' => 'api.auth.invalidate'
        ]);
    });

[pmventura]

I had the same issue on #33

[raf202]

Also, you have to make 3 calls to refresh an expired token:

1. The call you actually want to make, which is denied and returns that the token has expired
2. The token refreshing call -> returns the token so you can save client side
3. The call you actually want to make, again (now with the refreshed token)

I don't know if theres a specific reason for it, but it seems a bit like bad design for me. Perhaps a better workflow with one round trip to the server would be:

1. The call you actually want to make -> Server side checks that the token has expired, checks for the refresh window -> if it's in the refresh window, make the call and return 'token expired' with a new token. You check and save the token client side.