refresh the access token in the background

BacLuc · BacLuc · commit d3359d2444a0 · 2025-08-10T21:44:34.000+02:00
Use gesdinet/jwt-refresh-token-bundle to achieve this. The access token lifetime was reduced to 30 mins according to https://cloud.google.com/apigee/docs/api-platform/antipatterns/oauth-long-expiration as a starting point. Do not log out if the refresh in the background fails, the user might want to backup the content he is currently editing. One proposed pattern is to intercept 401 responses and refresh the token when the requests fail. Because we often have multiple requests running, this did not work well. Now we have a timeout in the background which refreshes the access token periodically. closes #4898
diff --git a/api/composer.json b/api/composer.json
@@ -15,6 +15,7 @@
         "exercise/htmlpurifier-bundle": "5.1",
         "friendsofsymfony/http-cache": "3.1.1",
         "friendsofsymfony/http-cache-bundle": "3.2.0",
+        "gesdinet/jwt-refresh-token-bundle": "1.5.0",
         "google/recaptcha": "1.3.1",
         "guzzlehttp/guzzle": "7.9.3",
         "knpuniversity/oauth2-client-bundle": "2.18.3",
diff --git a/api/composer.lock b/api/composer.lock
diff --git a/api/config/bundles.php b/api/config/bundles.php
@@ -6,6 +6,7 @@
 use Exercise\HTMLPurifierBundle\ExerciseHTMLPurifierBundle;
 use Fidry\AliceDataFixtures\Bridge\Symfony\FidryAliceDataFixturesBundle;
 use FOS\HttpCacheBundle\FOSHttpCacheBundle;
+use Gesdinet\JWTRefreshTokenBundle\GesdinetJWTRefreshTokenBundle;
 use Hautelook\AliceBundle\HautelookAliceBundle;
 use KnpU\OAuth2ClientBundle\KnpUOAuth2ClientBundle;
 use Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle;
@@ -44,4 +45,5 @@
     SentryBundle::class => ['all' => true],
     TwigExtraBundle::class => ['all' => true],
     FOSHttpCacheBundle::class => ['all' => true],
+    GesdinetJWTRefreshTokenBundle::class => ['all' => true],
 ];
diff --git a/api/config/packages/gesdinet_jwt_refresh_token.yaml b/api/config/packages/gesdinet_jwt_refresh_token.yaml
@@ -0,0 +1,11 @@
+gesdinet_jwt_refresh_token:
+    cookie:
+      enabled: true
+      same_site: strict
+      path: /
+      http_only: true
+      secure: '%env(bool:COOKIE_SECURE)%'
+      remove_token_from_body: true
+    refresh_token_class: App\Entity\RefreshToken
+    single_use: true
+    token_parameter_name: '%env(COOKIE_PREFIX)%refresh_token'
diff --git a/api/config/packages/lexik_jwt_authentication.yaml b/api/config/packages/lexik_jwt_authentication.yaml
@@ -7,9 +7,8 @@ lexik_jwt_authentication:
     public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
     pass_phrase: '%env(JWT_PASSPHRASE)%'
 
-    # Tokens are valid for 12 hours, should be safe because we never expose the whole token to JavaScript.
-    # Of course it would be even better to have only short-lived tokens but renew them on every request.
-    token_ttl: 43200
+    # Tokens are valid for 30 minutes.
+    token_ttl: 1800
 
     # Read the JWT token from a split cookie: The [api-domain]_jwt_hp and [api-domain]_jwt_s cookies are combined with a period (.)
     # to form the full JWT token.
diff --git a/api/config/packages/security.yaml b/api/config/packages/security.yaml
@@ -28,13 +28,16 @@ security:
             lazy: true
             provider: app_user_provider
             user_checker: App\Security\UserStatusChecker
+            entry_point: jwt
             json_login:
                 check_path: /authentication_token
                 username_path: identifier
                 password_path: password
                 success_handler: lexik_jwt_authentication.handler.authentication_success
                 failure_handler: lexik_jwt_authentication.handler.authentication_failure
             jwt: ~
+            refresh_jwt:
+                check_path: /token/refresh
             custom_authenticators:
                 - App\Security\OAuth\GoogleAuthenticator
                 - App\Security\OAuth\HitobitoAuthenticator
@@ -46,6 +49,7 @@ security:
         - { path: ^/auth, roles: PUBLIC_ACCESS } # OAuth and resend password endpoints
         - { path: ^/content_types, roles: PUBLIC_ACCESS } # Content types is more or less static and the same for all camps
         - { path: ^/invitations/.*/(find|reject), roles: PUBLIC_ACCESS }
+        - { path: ^/token/refresh, roles: PUBLIC_ACCESS }
         - { path: ^/users$, methods: [POST], roles: PUBLIC_ACCESS } # register
         - { path: ^/users/.*/activate$, methods: [PATCH], roles: PUBLIC_ACCESS }
         - { path: .*, roles: [ROLE_USER] } # Protect all other routes must be at the end
diff --git a/api/config/routes.yaml b/api/config/routes.yaml
@@ -4,3 +4,5 @@
 authentication_token:
   path: /authentication_token
   methods: ['POST']
+api_refresh_token:
+  path: /token/refresh
diff --git a/api/config/services.yaml b/api/config/services.yaml
@@ -103,6 +103,12 @@ services:
     App\OpenApi\OAuthDecorator:
         decorates: 'api_platform.openapi.factory'
 
+    App\OpenApi\RefreshTokenDecorator:
+      decorates: 'api_platform.openapi.factory'
+      arguments:
+        - '@.inner'
+        - '%env(COOKIE_PREFIX)%'
+
     App\OAuth\UrlGeneratorDecorator:
         class: App\OAuth\UrlGeneratorDecorator
         arguments:
diff --git a/api/migrations/schema/Version20250809140557.php b/api/migrations/schema/Version20250809140557.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20250809140557 extends AbstractMigration {
+    public function getDescription(): string {
+        return 'Add refresh tokens table';
+    }
+
+    public function up(Schema $schema): void {
+        $this->addSql('CREATE TABLE refresh_tokens (refresh_token VARCHAR(128) NOT NULL, username VARCHAR(255) NOT NULL, valid TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL, id INT GENERATED BY DEFAULT AS IDENTITY NOT NULL, PRIMARY KEY (id))');
+        $this->addSql('CREATE UNIQUE INDEX UNIQ_9BACE7E1C74F2195 ON refresh_tokens (refresh_token)');
+    }
+
+    public function down(Schema $schema): void {
+        $this->addSql('DROP TABLE refresh_tokens');
+    }
+}
diff --git a/api/src/Entity/RefreshToken.php b/api/src/Entity/RefreshToken.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Entity;
+
+use Doctrine\ORM\Mapping as ORM;
+use Gesdinet\JWTRefreshTokenBundle\Entity\RefreshToken as BaseRefreshToken;
+
+#[ORM\Entity]
+#[ORM\Table(name: 'refresh_tokens')]
+class RefreshToken extends BaseRefreshToken {}
diff --git a/api/src/OpenApi/JwtDecorator.php b/api/src/OpenApi/JwtDecorator.php
@@ -38,7 +38,7 @@ public function __invoke(array $context = []): OpenApi {
                 tags: ['Login'],
                 responses: [
                     '204' => [
-                        'description' => "Get a JWT token split across the two cookies {$cookiePrefix}jwt_hp and {$cookiePrefix}jwt_s",
+                        'description' => "Get a JWT token split across the two cookies {$cookiePrefix}jwt_hp and {$cookiePrefix}jwt_s. Also returns a refresh token in {$cookiePrefix}refresh_token",
                     ],
                 ],
                 summary: 'Log in using email and password.',
diff --git a/api/src/OpenApi/RefreshTokenDecorator.php b/api/src/OpenApi/RefreshTokenDecorator.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace App\OpenApi;
+
+use ApiPlatform\OpenApi\Factory\OpenApiFactoryInterface;
+use ApiPlatform\OpenApi\Model;
+use ApiPlatform\OpenApi\OpenApi;
+
+/**
+ * Decorates the OpenApi factory to add API docs for the login endpoint.
+ */
+final class RefreshTokenDecorator implements OpenApiFactoryInterface {
+    public function __construct(private OpenApiFactoryInterface $decorated, private string $cookiePrefix) {}
+
+    public function __invoke(array $context = []): OpenApi {
+        $openApi = ($this->decorated)($context);
+
+        $cookiePrefix = $this->cookiePrefix;
+        $pathItem = new Model\PathItem(
+            ref: 'JWT Token Refresh',
+            post: new Model\Operation(
+                operationId: 'postRefreshToken',
+                tags: ['JWT Refresh'],
+                responses: [
+                    '204' => [
+                        'description' => "Get a refreshed JWT token split across the two cookies {$cookiePrefix}jwt_hp and {$cookiePrefix}jwt_s. Also returns a new refresh token {$cookiePrefix}refresh_token.",
+                    ],
+                ],
+                summary: 'Refresh token.',
+                requestBody: new Model\RequestBody(
+                    description: 'Body',
+                    content: new \ArrayObject([
+                        'application/ld+json' => [
+                            'schema' => [],
+                        ],
+                        'application/json' => [
+                            'schema' => [],
+                        ],
+                    ]),
+                ),
+            ),
+        );
+        $openApi->getPaths()->addPath('/token/refresh', $pathItem);
+
+        return $openApi;
+    }
+}
diff --git a/api/src/Serializer/Normalizer/UriTemplateNormalizer.php b/api/src/Serializer/Normalizer/UriTemplateNormalizer.php
@@ -51,6 +51,7 @@ public function normalize($data, $format = null, array $context = []): null|arra
         $result['_links']['oauthPbsmidata'] = ['href' => $this->urlGenerator->generate('connect_pbsmidata_start').'{?callback}', 'templated' => true];
         $result['_links']['oauthCevidb'] = ['href' => $this->urlGenerator->generate('connect_cevidb_start').'{?callback}', 'templated' => true];
         $result['_links']['oauthJubladb'] = ['href' => $this->urlGenerator->generate('connect_jubladb_start').'{?callback}', 'templated' => true];
+        $result['_links']['refreshToken'] = ['href' => $this->urlGenerator->generate('api_refresh_token')];
         $result['_links']['resetPassword'] = ['href' => $this->urlGenerator->generate('_api_/auth/reset_password{._format}_post').'{/id}', 'templated' => true];
         $result['_links']['resendActivation'] = ['href' => $this->urlGenerator->generate('_api_/auth/resend_activation{._format}_post'), 'templated' => false];
 
diff --git a/api/symfony.lock b/api/symfony.lock
@@ -174,6 +174,20 @@
     "gedmo/doctrine-extensions": {
         "version": "v3.0.5"
     },
+    "gesdinet/jwt-refresh-token-bundle": {
+        "version": "1.5",
+        "recipe": {
+            "repo": "github.com/symfony/recipes-contrib",
+            "branch": "main",
+            "version": "1.0",
+            "ref": "2390b4ed5c195e0b3f6dea45221f3b7c0af523a0"
+        },
+        "files": [
+            "config/packages/gesdinet_jwt_refresh_token.yaml",
+            "config/routes/gesdinet_jwt_refresh_token.yaml",
+            "src/Entity/RefreshToken.php"
+        ]
+    },
     "google/recaptcha": {
         "version": "1.2",
         "recipe": {
diff --git a/api/tests/Api/SnapshotTests/EndpointPerformanceTest.php b/api/tests/Api/SnapshotTests/EndpointPerformanceTest.php
@@ -244,6 +244,7 @@ private static function getCollectionEndpoints() {
                 '/auth/resend_activation' => false,
                 '/invitations' => false,
                 '/personal_invitations' => false,
+                '/token/refresh' => false,
                 default => true
             };
         });
diff --git a/api/tests/Api/SnapshotTests/ResponseSnapshotTest.php b/api/tests/Api/SnapshotTests/ResponseSnapshotTest.php
@@ -117,6 +117,7 @@ public static function getCollectionEndpoints() {
                 '/auth/resend_activation' => false,
                 '/invitations' => false,
                 '/personal_invitations' => false,
+                '/token/refresh' => false,
                 '/users' => false,
                 default => true
             };
diff --git a/api/tests/Api/SnapshotTests/__snapshots__/ResponseSnapshotTest__testOpenApiSpecMatchesSnapshot__1.yml b/api/tests/Api/SnapshotTests/__snapshots__/ResponseSnapshotTest__testOpenApiSpecMatchesSnapshot__1.yml
@@ -34692,6 +34692,24 @@ paths:
       summary: 'Updates the ScheduleEntry resource.'
       tags:
         - ScheduleEntry
+  /token/refresh:
+    post:
+      operationId: postRefreshToken
+      requestBody:
+        content:
+          application/json:
+            schema: []
+          application/ld+json:
+            schema: []
+        description: Body
+        required: false
+      responses:
+        204:
+          description: 'Get a refreshed JWT token split across the two cookies example_com_jwt_hp and example_com_jwt_s. Also returns a new refresh token example_com_refresh_token.'
+      summary: 'Refresh token.'
+      tags:
+        - 'JWT Refresh'
+    ref: 'JWT Token Refresh'
   /users:
     get:
       deprecated: false
diff --git a/api/tests/Api/SnapshotTests/__snapshots__/ResponseSnapshotTest__testRootEndpointMatchesSnapshot__1.json b/api/tests/Api/SnapshotTests/__snapshots__/ResponseSnapshotTest__testRootEndpointMatchesSnapshot__1.json
@@ -111,6 +111,9 @@
             "href": "/profiles{/id}{?user.collaborations.camp,user.collaborations.camp[],user,user[]}",
             "templated": true
         },
+        "refreshToken": {
+            "href": "/token/refresh"
+        },
         "resendActivation": {
             "href": "/auth/resend_activation",
             "templated": false
diff --git a/frontend/src/main.js b/frontend/src/main.js
@@ -23,6 +23,7 @@ import 'vue-toastification/dist/index.css'
 
 import { ClickOutside, Resize } from 'vuetify/lib/directives'
 import ResizeObserver from 'v-resize-observer'
+import { initRefresh } from '@/plugins/auth.js'
 
 const env = getEnv()
 if (env && env.SENTRY_FRONTEND_DSN) {
@@ -63,3 +64,6 @@ new Vue({
   unhead,
   render: (h) => h(App),
 }).$mount('#app')
+
+// noinspection JSIgnoredPromiseFromCall
+initRefresh()
diff --git a/frontend/src/plugins/__tests__/auth.spec.js b/frontend/src/plugins/__tests__/auth.spec.js
diff --git a/frontend/src/plugins/auth.js b/frontend/src/plugins/auth.js
