Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api, ui: Implement refresh token #1739

Closed
3 of 10 tasks
SamuelPull opened this issue Mar 21, 2024 · 1 comment · Fixed by #1921
Closed
3 of 10 tasks

api, ui: Implement refresh token #1739

SamuelPull opened this issue Mar 21, 2024 · 1 comment · Fixed by #1921
Assignees
@galethil @SamuelPull
Labels
api Indicates api related issue or feature blockchain Indicates blockchain related issue or feature e2e-tests feature Indicates a new feature implementation frontend Indicates frontend related issue or feature
Milestone
Trubudget 2.13.0

Comments

@SamuelPull
Copy link
Collaborator

SamuelPull commented Mar 21, 2024
edited
Loading

  • The feature was discussed based on security audit findings and current best practices
  • I have searched the issues of this repository and believe that this is not a duplicate.

Description 💡

  • Create a new api route for token refreshing (/refresh) This route will take the refresh token, verify it, and if it's valid, issue a new access token (token cookie)
  • Update login route(s) to issue an access (token) and refresh (refreshToken) tokens.
  • Since we are using httpOnly cookies, api server needs to send expiration date(s) of the tokens in response,. Client can store it in-mem or so and check expiration before making a request. If the token is expired, the client requests a new token from the server. (TBD does this change require new apiVersion?)
  • Implement checking the expiration date and refreshing token in frontend
  • Update e2e tests
  • Update documentation
  • Should we use short lived tokens, or implement token blacklist? With blockchain, it's hard to say what will a blacklist's impact on performance be.
    EDIT:
  • API: remove groups data from token #1755

EDIT 2:
I'm not sure if there is any added value in implementing refresh token without token rotation and/or option to revoke refresh token, but blockchain is not an optimal data store to handle this added complexity. On second thought, I don't think this adds value to the users and partners at the moment.
@SamuelPull SamuelPull added the feature Indicates a new feature implementation label Mar 21, 2024
@issuelabeler issuelabeler bot added api Indicates api related issue or feature blockchain Indicates blockchain related issue or feature frontend Indicates frontend related issue or feature labels Mar 21, 2024
@SamuelPull SamuelPull added this to the TruBudget 2.10.0 milestone Mar 21, 2024
@SamuelPull SamuelPull added e2e-tests and removed blockchain Indicates blockchain related issue or feature labels Mar 21, 2024
@issuelabeler issuelabeler bot added the blockchain Indicates blockchain related issue or feature label Mar 28, 2024
@SamuelPull SamuelPull self-assigned this Apr 9, 2024
@SamuelPull
Copy link
Collaborator Author

SamuelPull commented May 29, 2024
edited
Loading

TB with DB

@galethil galethil self-assigned this Jul 18, 2024
@galethil galethil mentioned this issue Jul 19, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@galethil galethil

@SamuelPull SamuelPull

Labels
api Indicates api related issue or feature blockchain Indicates blockchain related issue or feature e2e-tests feature Indicates a new feature implementation frontend Indicates frontend related issue or feature
Projects
TruBudget Support & Development
Status: Done
Milestone
Trubudget 2.13.0
Development

Successfully merging a pull request may close this issue.

1739 refresh token openkfw/TruBudget
2 participants
@galethil @SamuelPull