New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT Forever Token Code Doesn't Match Docs #32

Closed
zerox1212 opened this Issue Sep 28, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@zerox1212

zerox1212 commented Sep 28, 2017

In the code docs this is written:

        //-----------------------------------------------------------------
        // This will avoid TokenExpiredException error as long as we are
        // still in the refresh TTL window. Will still allow throwing
        // TokenExpiredException after refresh TTL has passed.
        //
        // NOTE: No tokens (including forever tokens) can ever be
        // refreshed after refresh TTL has passed.

In the documents here: http://wiki.dreamfactory.com/DreamFactory/Tutorials/Forever_sessions
Note that DF_JWT_REFRESH_TTL will be ignored once DF_ALLOW_FOREVER_SESSIONS is set to true. .

I think the code docs are correct because checkOrFail() being called on refresh will throw an exception making it impossible to refresh a forever token that is passed it's refresh TTL. The wiki is wrong or the code needs to be changed.

// Checks for token validity - Expired TTL, Expired Refresh TTL, Blacklisted.
            JWTAuth::checkOrFail();

I imagine most people get around this by setting a huge refresh TTL.

@df-arif

This comment has been minimized.

Show comment
Hide comment
@df-arif

df-arif Sep 28, 2017

Contributor

@zerox1212 , Thanks for pointing this out. The code is correct. Wiki documentation was outdated. I have already updated the wiki documentation to reflect what the code does.

Contributor

df-arif commented Sep 28, 2017

@zerox1212 , Thanks for pointing this out. The code is correct. Wiki documentation was outdated. I have already updated the wiki documentation to reflect what the code does.

@df-arif df-arif closed this Sep 28, 2017

@zerox1212

This comment has been minimized.

Show comment
Hide comment
@zerox1212

zerox1212 Sep 28, 2017

Thanks for the fast response. Can you confirm why DF creates an entirely new token when a token is refreshed? With the old documentation it would make sense to make a new token, but with the updated explanation I think you can just call JWTAuth::refreshToken() on the forever token and that will reset the refresh TTL?

zerox1212 commented Sep 28, 2017

Thanks for the fast response. Can you confirm why DF creates an entirely new token when a token is refreshed? With the old documentation it would make sense to make a new token, but with the updated explanation I think you can just call JWTAuth::refreshToken() on the forever token and that will reset the refresh TTL?

@df-arif

This comment has been minimized.

Show comment
Hide comment
@df-arif

df-arif Sep 28, 2017

Contributor

DreamFactory uses this third party JWT library - https://github.com/tymondesigns/jwt-auth. The earlier versions of this library supported the forever session the way you found it on our wiki. They tighten up few things in the newer version and no longer support forever session in that manner. Check out the 'Refresh time to live' section on their documentation at https://github.com/tymondesigns/jwt-auth/wiki/Configuration for more clarification.

This is why just calling JWTAuth::refresh() doesn't reset the refresh window. In fact the library itself never resets the refresh ttl for a token. Therefore, we had to create a brand new token with a new refresh window every time a forever token is refreshed in DreamFactory. Hope this answers your question.

Contributor

df-arif commented Sep 28, 2017

DreamFactory uses this third party JWT library - https://github.com/tymondesigns/jwt-auth. The earlier versions of this library supported the forever session the way you found it on our wiki. They tighten up few things in the newer version and no longer support forever session in that manner. Check out the 'Refresh time to live' section on their documentation at https://github.com/tymondesigns/jwt-auth/wiki/Configuration for more clarification.

This is why just calling JWTAuth::refresh() doesn't reset the refresh window. In fact the library itself never resets the refresh ttl for a token. Therefore, we had to create a brand new token with a new refresh window every time a forever token is refreshed in DreamFactory. Hope this answers your question.

@zerox1212

This comment has been minimized.

Show comment
Hide comment
@zerox1212

zerox1212 Sep 28, 2017

Very good explanation. I did look at that library. I will look at the jwt-auth code closer so I fully understand. Thanks.

zerox1212 commented Sep 28, 2017

Very good explanation. I did look at that library. I will look at the jwt-auth code closer so I fully understand. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment