What's point allow refresh token for cookies token only?

[zebox]

@umputun hi!
Could explain why refresh token feature available for cookies token only?
I want use SendJWTHeader, but refreshExpiredToken never will be reached with token in header.

First call:

// in auth.go
...
 claims, tkn, err := a.JWTService.Get(r)
 if err != nil {
	onError(h, w, r, errors.Wrap(err, "can't get token"))
	return
 }
...

then call:

// in jwt.go
...
if !fromCookie && j.IsExpired(claims) {
   return Claims{}, "", errors.New("token expired")
}
...

JWTService, in auth.go, always returns error when SendJWTHeader option enabled and token expired.

I suppose that token in header use for check (or check validation token) auth/autz only. When token refresh required, I should sent it using cookies. That's right?

[umputun]

I'm not sure what exactly you are expecting to happen in this case. With the SendJWTHeaderset the client (i.e., caller) controls what token is sent to the server. If the token is expired server can't do anything smart, as it doesn't control the storage (cookie) in this mode.

So, unless I missed the intent, it works as designed, and the refresh in this case is the client's responsibility.

[zebox]

That's, server doesn't implement refresh token logic because that a client part (an app which use auth pkg)? How I understand, the login handler hasn't way return access token and refresh token together in cookies values or response body (in JSON)?

[umputun]

Not sure I follow. Let's say your application (the client/caller) performed the login, got JWT, and sent this JWT in any request header. The app will have to store JWT somewhere on the server side, which can be memory or anything else. In this case, the idea of autorefresh makes no sense to me; what exactly can the library refresh here? It needs to know what the storage is, how to access it, and how to update it to make the app send refreshed tokens, and it knows none of this.

Theoretically, it is possible to pass some callback to the library, which will hit some user-provided func on refresh. However, I'm not sure if this is a good idea. If the user decided to send jwt in headers, to me, this is a clear indication of "I will handle it on the app side" intent.