This repository is a small effort to integrate a JWT refresh token containing an encoded payload having necessary security information with the response header such that it stays attached to all subsequent request headers until explicitly removed.
I am using PyJWT module to create my access token and refresh token which can be embedded with the response header once login API request is successful. For each of the subsequent requests, the same header will contain the token as a cookie until the access token expires. The design is implemented in a way that when the access token is expired, it will check the validity of the refresh token. As long as the refresh token remains valid, expiry of access token will invoke a database query to fetch necessary information to identify the user, otherwise, it will sign out the corresponding user. The refresh tokens will be tracked from a database table as well. All the information that will be embedded into the payload of the token, which can be very sensitive information, will be encrypted in such a way that it will provide double layer security for the tokens. Apart from validating the token, more checks and validations can be further extended with the pipeline as necessary by including more information on the payload and since it is encrypted, there is almost no restriction to size. To extend the authentication functionalities, additional decorators must be written for each necessary validations which can inherit data and attributes sequentially as well.
All the secrets and keys will be managed by a separate .env file for portability.