Refresh token

[marijang]

What about refresh token?

I m using angular and i want to refresh token. How to do this?

[tymondesigns]

At the moment there is no "in-built" way to do this for you. It would have to be done manually for now.

One way would be to create a refresh endpoint that would accept an expired token. You would then validate the token and payload claims (excluding the expiry) and issue a new token.

I am currently working on the develop branch and this will be built in.

[marijang]

Look at https://www.youtube.com/watch?v=eWUkxzyB1Rk

He is using redis for expire of token. This is good because the is no need for sql query. Only for first time. So it will be cool to have options sync with redis:D

Thanks a lot.

[marijang]

uuu i see you are using jti from example:D

Very niceeeee man:D

[marijang]

Does it support for laravel 5

[tymondesigns]

Yes I plan to support both laravel 4 and 5 with the upcoming release. There will be a filter and middleware 👍

[yanilkr]

I wrote a simple "after" filter that generates a new token and sets it in the response header.

$token = JWTAuth::getToken(); 
$user = JWTAuth::toUser($token);

// accepts a User, and returns a token
$newToken = JWTAuth::fromUser($user);

$response->headers->set('Authorization','bearer'+$newToken);

In every successful response that needs authorization, this new header is added.

On the client side, an angularjs interceptor updates the global "Authorization" header value. This enables you to set a very low token expiration time and then keep on extending it till the user is inactive for more than 5 mins or 10 mins on the app.

This would be much simpler if there were a new method that does not touch the database.
JWTAuth::renew($oldToken) and returns a newToken

JWTAuth::toUser($token): This method goes to the database and makes it less effective to call in the after filter.

[marijang]

i agree with yanilkr :D

[tymondesigns]

Thanks guys, I think I will implement this into a separate middleware, (sending a new token with every response) so it will be the developers choice to use it

[tymondesigns]

RefreshToken Middleware added :)

[hotrush]

Hi. What method can help me to generate refreshed token manualy?

[tymondesigns]

@hotrush You can do one of the following:

$oldToken = 'foo.bar.baz';

$newToken = JWTAuth::refresh($oldToken);
// or
$newToken = JWTAuth::parseToken()->refresh();
// or
$newToken = JWTAuth::setToken($oldToken)->refresh();
// etc

[msantang78]

I cant recresh the token if it's expired. maybe I 'm wrong , but it would have to be able to refresh the token while refresh_ttl time is not expired ?

[hotrush]

@tymondesigns thanks, i will try

[bchrobot]

What is the best way to implement the Laravel 5 Middleware style in Laravel 4?

[osteel]

Hi @yanilkr, rather old issue I know but any chance to see what your response interceptor looks like in AngularJS?

I am using the RefreshToken middleware to pass refreshed tokens to every response (I can confirm its presence from the network panel of my browser) but for some reason I can't find it in the headers of my response in my interceptor:

return {
    "response": function(response) {
        // only contains "content-type" and "cache-control"
        $log.log(response.headers());
        return response;
    }
}

My research's been unsuccessful so far!

Thanks

[osteel]

Never mind, finally found the answer.

When using CORS, you need to specify to which headers the client will have access, using the Access-Control-Expose-Headers header.

http://stackoverflow.com/questions/25673089/why-is-access-control-expose-headers-needed