[Auth] Refresh token

[Hagith]

• validate token expiration
• issue refresh token
• refresh access token

https://medium.com/@sadnub/simple-and-secure-api-authentication-for-spas-e46bcea592ad

[Hagith]

nestjs/jwt#122

[ishpagin]

It would be great to get it from the box, because no tutorials about this topic in nestjs community :(

[Hagith]

@ishpartko thanks for stopping by. In my opinion refresh token logic is out of scope of passport library, and consequently outside the scope of nestjs/jwt. JWT library only provides mechanism for issuing tokens and it's validation with the secret.
It is the consumer's (project) responsibility to store/manage refresh tokens and implement additional verification logic. This logic mostly depends on the project requirements and can be implemented on may different ways.
My first implementation will be very simple: generate token with extended expiration period, store it in the database and pass it to the client. But I know that it is considered a bad practice form the security point of view.
In the next step I will implement simple "middleware" which will store refresh token in the session and only encrypted Http-Only cookie will be passed to the client.