Regenerate ( refresh ) Token on Browser

Question

The scenario is, we have a website which for some web notification we're using web push and after user login into the website we check that if he/she granted notification permission to us we don't ask it ,if not we ask to enable notification, The generated Token is per browser I mean if the user log-out and another user login to our website previous Token available for the new logged in user, So if we want to notify the previous user, the new user got our notification.

The simple solution is on Logout delete the token and after each login we should ask user to grant permission again to us but it's bothering user, I have an idea when user login to the site, we check that previous user was herself/ himself, we do nothing , but if there is another user, without asking to grant permission again(while we asked them before) we refresh the token , I mean regenerate another Token for him/her and save that Token in our backend, My question is How can we regenerate the Token without asking again to grant Notification permission in the Browser?

Answer 1

You can't regenerate the token without revoking permission.

However you can use the same strategy that we have used for Pushpad:

• each token (i.e. browser) in your database is present only once
• each token has at most one user ID associated to it
• when the user logs out you remove the user ID from the token
• when the user logs in you add the user ID to the current token
• when you need to send notifications you target specific user IDs