Implementation of JWT correctly

Question

I'm developing website with django rest framework, django rest framework jwt for backend and next.js, react, redux for frontend.

With the assumption,

store access token as cookies, not in localStorage. Because I'm using Next.js and I want to get access token before initial render.
JWT with Django REST framework JWT Search GitHub
When user login, backend sends access token as cookies
expiration of access token and refresh are like below

'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=300),
'JWT_ALLOW_REFRESH': True,
'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),
'JWT_AUTH_COOKIE': 'token'

Based on above, I have a few questions.

When and How to refresh token

access token will expired 5 minutes. Within 5 minutes, user can request the page which has permission_classes = (IsAuthenticated,) with access token. If 5 minutes have passed, cookies(access token) will disappear automatically and user need to login again. To avoid this, there is the system of refresh token, right? If it's right, When and How to refresh token is correct? Before requesting to backend with access token, always compare the expiration of access token to current time, then if it will expire soon, stop requesting once, switch to refresh token with axios first, after getting new token, restart requesting with new token... Is it correct way?

access token will disappear if it has expired

Because it's cookies, right? For example, After user login and left from computer for 10 minutes. User came back and try to see website, but he needs to login again. Because there is no more access token in cookies and also cannot refresh token as well. What should I do?

I want user not to make trying login many times and keep user logged in until refresh token will expired.

Implementation of JWT correctly

Answers (1)

Related Questions