Flow of token refreshing using JWT on Laravel Lumen

Question

I'm building my first API with JWT. I'm using this boilerplate project: https://github.com/krisanalfa/lumen-jwt

I managed to make it work well, but I'm having a big problem: the user token expires after some time, logging the user off the application. I've read on the documentation of the project to call /api/auth/refresh to refresh the token, but right now it seems to me that it has two major drawbacks:

1) You have to make a single call to the API just to refresh the token, I would imagine that you would have to set up a timer to call it every X minutes (time of token expiration).

2) If the user turns off the computer for 3 hours, when he turns it back on, the token will already have expired, rendering the refresh unusable, and logging the user off.

Since I'm new to this, am I missing something? How can I make the token refresh cycle work without these drawbacks?

Answer 1

Taking your two points.

1) You can make an token valid for only a single use, but using blacklist feature. This however isn't entirely necessary.

In my own project, I gave tokens a 5 minute expiry, but I also applied the jwt-refresh middleware to my authenticated routes (wrapped in a route group), so that a new token was returned with every request.

2) You can also specify a refresh expiry, which is the window during which an expired token can be authenticated. This is usually much longer than a token. I used 14 days.

Therefore, if a user leaves your website for 3 hours and comes back, their token will have expired. But your app should attempt to refresh that token in the background and then re-attempt the original request.

Give some thought to the obvious security implications of the respective token lifetimes. 5 minutes is a short window for abuse, but if an expired token can be refreshed for up to 14 days, that increases the risk, unless you're blacklisting it.