Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reauthnticating a user doesn't increate socket ttl #3333

Closed
MarcGodard opened this issue Nov 10, 2023 · 5 comments
Closed

Reauthnticating a user doesn't increate socket ttl #3333

MarcGodard opened this issue Nov 10, 2023 · 5 comments

Comments

@MarcGodard
Copy link
Contributor

In V5, the socket disconnects when the JWT expires.

I tried the following (made the JWT expire after 1 minute:

  • reauthenticate the connection every 30 seconds
  • authenticated with jwt strategy every 30 seconds (and store new token)
  • once disconnected reauthnticate using the updated token

nothing seems to work, the idea is to have the token renew and keep the connection (or seamlessly reconnect)

I cannot figure out how to accomplish this, or find any documentation on how to do this.

What am I missing? The idea is to create a system where JWT don't live long, but as long as the user is using the system, I want to update the jwt before it expires so the user stays connected.
@daffl
Copy link
Member

daffl commented Nov 17, 2023
edited

Reauthenticating with the JWT strategy does not create a new token but just gives you back the existing one. To create a new one, a refresh token (references in #1337) would be for.

It used to create a new token back in v3 but it was actually a security issue because if someone gets a hold of the token they can stay authenticated forever by generating new ones.

@MarcGodard
Copy link
Contributor Author

MarcGodard commented Nov 17, 2023
edited

@daffl that talks about oauth tokens, I am not using oauth, just email and password (local). Does feathers offer a way to do a refresh token with local strategy? Is there anything more up-to-date than a github issue from 2015?

@daffl
Copy link
Member

daffl commented Nov 17, 2023

What's the requirement for refreshing the token every 30 seconds? In general it's probably a good idea to make the user log in with their credentials once in a (daily, weekly, monthly) while in which case you could just set the JWT expiration time to that.

@MarcGodard
Copy link
Contributor Author

MarcGodard commented Nov 18, 2023
edited

The 30 seconds was just to make tests. The idea is to have the token last 30 minutes, and sign the user out if they walk away and leave the system logged in, but if they keep making calls, refresh the token at 25 minutes or more (depending when they make a call next). This is how all the banking sites do this, many at 5 to 10 minutes lived tokens.

The alternative is to make the token last longer, and force log them out. But this means no security benefits as there will be a long lived token in the wild.

@daffl
Copy link
Member

daffl commented Nov 18, 2023

A refresh token essentially has the same issue which is why they need to be revokable in which case it's probably easier to make the normal (longer lived) JWTs revokable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daffl @MarcGodard