Active Sessions & JWT Refresh
146 views
Skip to first unread message
Renaud Chaput
Nov 24, 2021, 8:49:14 AM11/24/21
to Rodauth
On my app, I am using Rodauth for a web-based authentication, but also for our mobile application using JWT & JWT refresh tokens.
So both active_sessions (for cookie-based web sessions) and jwt_refresh (for mobile API) are enabled.
This results in calls to the jwt-refresh endpoint getting a 401 / inactive_session response, which I dont think is the intended behaviour as JWT refresh token have their own deadline interval for expiration.
What would be the best way to deal with this setup?
I think the easiest way would be to only call `rodauth.check_active_session` if the request if `use_jwt?` returns true, but I am not sure on how to check this in the routes.
This should probably be documented somewhere, or maybe even handled in the active_sessions plugin as I dont think of a use-case with expiring sessions and JWT at the same time.
Thanks,
So both active_sessions (for cookie-based web sessions) and jwt_refresh (for mobile API) are enabled.
This results in calls to the jwt-refresh endpoint getting a 401 / inactive_session response, which I dont think is the intended behaviour as JWT refresh token have their own deadline interval for expiration.
What would be the best way to deal with this setup?
I think the easiest way would be to only call `rodauth.check_active_session` if the request if `use_jwt?` returns true, but I am not sure on how to check this in the routes.
This should probably be documented somewhere, or maybe even handled in the active_sessions plugin as I dont think of a use-case with expiring sessions and JWT at the same time.
Thanks,
—
Renaud
Renaud Chaput
Nov 24, 2021, 9:42:06 AM11/24/21
to Rodauth
It looks like it can be as simple as:
unless rodauth.use_jwt?
rodauth.check_active_session # auth if there is an active session
rodauth.load_memory # auth if there is a remember cookie
end
It is the best way to handle this?
unless rodauth.use_jwt?
rodauth.check_active_session # auth if there is an active session
rodauth.load_memory # auth if there is a remember cookie
end
It is the best way to handle this?
—
Renaud
Jeremy Evans
Nov 24, 2021, 11:04:22 AM11/24/21
to rod...@googlegroups.com
On Wed, Nov 24, 2021 at 6:42 AM Renaud Chaput <ren...@gmail.com> wrote:
It looks like it can be as simple as:
unless rodauth.use_jwt?
rodauth.check_active_session # auth if there is an active session
rodauth.load_memory # auth if there is a remember cookie
end
It is the best way to handle this?
Which version of Rodauth are you using? There were changes in 2.13.0 related to the combination of active_sessions and jwt_refresh. If you are already past that version, can you put together a minimal self-contained example showing the problem so I can review?
In terms of your code example, if you only want to check active sessions and load memories for non-JWT requests, that approach seems fine.
Thanks,
Jeremy
Renaud Chaput
Nov 24, 2021, 11:52:10 AM11/24/21
to rod...@googlegroups.com
On 24 Nov 2021 at 17:04 +0100, Jeremy Evans <jeremy...@gmail.com>, wrote:
On Wed, Nov 24, 2021 at 6:42 AM Renaud Chaput <ren...@gmail.com> wrote:
It looks like it can be as simple as:
unless rodauth.use_jwt?
rodauth.check_active_session # auth if there is an active session
rodauth.load_memory # auth if there is a remember cookie
end
It is the best way to handle this?
Which version of Rodauth are you using? There were changes in 2.13.0 related to the combination of active_sessions and jwt_refresh. If you are already past that version, can you put together a minimal self-contained example showing the problem so I can review?
I am using rodauth 2.17.0.
I will see if I can write a test showing this behaviour.
I will see if I can write a test showing this behaviour.
In terms of your code example, if you only want to check active sessions and load memories for non-JWT requests, that approach seems fine.
I dont see what the usecase would be to use active sessions & remember me cookies while using JWT, except if I am missing something obvious :)
Reply all
Reply to author
Forward
0 new messages