Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Thoughts on how to refresh #52
Right now, you are required to send the access token and the refresh token.
Why? Well, it seems like a good idea to facilitate the lookup of refresh tokens by knowing against which user you are trying to look up. It seems like another layer (albeit thin) of security. The alternative is to lookup the user by refresh token alone.
In the current operation, there is NO verification of the JWT at this stage while refreshing, it is used ONLY to pass the payload and get the intended
I think this is probably the best method, but I am open to thoughts on whether this should change. Perhaps it could be configurable.
I think this is a good approach to tighten up security (by cross-reference the expired token payload and the refresh token given), but this can be optional to the refresh token methods implementation (adding all required arguments to make this work to