[WIP] Add refresh token support to Auth flow

[nyzm]

My PR is a:

• 💥 Breaking change
• 🐛 Bug fix #issueNumber
• 💅 Enhancement
• 🚀 New feature

Main update on the:

• Admin
• Documentation
• Framework
• Plugin

Manual testing done on the following databases:

• Not applicable
• MongoDB
• MySQL
• Postgres

Description:

• A refresh token will be included in the response of below api's

• /auth/local
• /auth/:provider/callback
• /auth/reset-password
  

• Using a refresh token to generate a new jwt access token. Mobile clients required to save both identifier and refresh token to be able to get a new access token.
  

• user/me api will return tokens of the user (in case multiple mobile and desktop apps logged in)
  

• Revoke api for deleting the specified token from database.
  

I think we will need a way to revoke the jwt tokens as well. which I havent think about yet. Its like log out from specified device.

Concerns:

• I haven't tested it on other db's but just postgres. It should work but need a complete test on it.
• Documentation and probably strapi-sdk-javascript need a little update for this

Pitch in any concerns or ideas
Regards

[derrickmehaffy]

Awesome job! There will need to be a lot of testing to make sure everything works as expected but if it all goes smoothly this will be a great step forward for mobile developers.

Have you put any thought into also supporting refresh tokens for any of the OAuth providers? (Many of them already have refresh tokens, I think just the logic is required to use them), a good example being discord.

[nyzm]

As I see in code that all the providers are ending with jwt token at the end.
I am not sure if we should generate a refresh token for 3rd party providers or not(Code in the commit does generate a refresh token for 3rd party providers as well). Cause user can just disconnect the app from 3rd party provider' website/app. But our mobile app will continue to get new jwt tokens with the refresh token that we generated. might need more checks on that part.

[derrickmehaffy]

@nyzm it depends on the provider. For the most part once the plugin framework rewrite is done and we can break each provider into it's own plugin (and convert over to passport.js) we can likely deal with refresh tokens then. I'm not terribly familiar with oauth itself but I figure it was least worth looking into.

[lauriejim]

Thank you for this PR!

I think we also have to write some lines in the documentation about this new feature https://github.com/strapi/strapi/blob/master/docs/3.x.x/guides/authentication.md

[lauriejim]

If I login for the second time from the same agent, previous refreshToken still active.
I think it have to be deleted nop ?

[lauriejim]

And when I register from with auth/local/register I think if the settings.email_confirmation is disable we can also add a refreshToken.

[nyzm]

If I login for the second time from the same agent, previous refreshToken still active.
I think it have to be deleted nop ?

Hi Jim, There is a revoke api for refresh tokens. Clients should manage the refresh tokens. Since same OS same device will return the same agent we cannot really know which device the second login came from. Also refresh token should be revoked at logout. Which also requires client to send a revoke request.

[nyzm]

Travis shows build fail for node 10.15 , it can be built successfully on my local with the same version of node and npm.

[derrickmehaffy]

@nyzm I've restarted the node 10 build, it might have just been a random error but we will see. Sometimes the linting messes up for no reason. 🤷‍♂️

[derrickmehaffy]

Side note @nyzm if I might make a suggestion there should be an option to revoke all tokens for a user. It might be good to add a button in the adminUI. Just a thought 😄

[nyzm]

Side note @nyzm if I might make a suggestion there should be an option to revoke all tokens for a user. It might be good to add a button in the adminUI. Just a thought 😄

might be useful maybe. but sounds like nice to have :)

[derrickmehaffy]

@nyzm not sure if this is just user error, I tried manually applying these changes to my current project (commit is here: canonn-science/CAPIv2-Strapi@2606219 )

Attempting to start strapi after modifications I get the following error in the console:

[2019-03-13T06:03:29.728Z] error Cannot find the controller's action refreshtoken.findOne

[derrickmehaffy]

@lauriejim worked with @nyzm on slack, figured out the issue was it fails to start if graphQL is installed, removing graphQL and it worked fine. I'm guessing this has something to do with graphQL automatically generating schema stuff. Is there a way to exclude stuff from that? As this PR won't have a "findOne" option for a token

[alexandrebodin]

Hi @nyzm

Thank you for your work, right now I have a few security conserns about the auth flow you are proposing.

We cannot verify who (mobile app / web app etc..) is requesting the refreshtoken. And we don't have the possibility to request an access token without a refresh token.

To add refresh tokens in a secure way we need to work on building a more robust auth server.

I recommend this read to get more info https://auth0.com/docs/tokens/refresh-token/current.
And this one for mobile auth flow https://auth0.com/docs/flows/concepts/mobile-login-flow

[Aurelsicoko]

@nyzm Do you plan to make any updates on this PR? We cannot merge it until the authentication flow isn't following the guidelines quoted by @alexandrebodin.

[snaerth]

Any updates on this PR? This will be an awesome feature

[Aurelsicoko]

@snaerth Not at all, we aren't focused on this feature. I cannot give you any due date for now. What's your use case?

[andr-ec]

@Aurelsicoko I can’t speak for anyone else but for us the biggest use case is for a mobile client. Other options are not very practical or secure, like setting the expiration in a long time or storing the username and password

[lauriejim]

Hello!
Thank you for your PR!
We will not merge your PR because we plan to do a complete review of the auth in Strapi.
So this will be reviewed at this time.

[MarcWadai]

Hi,
As for today, is there any news on this side ? Is it possible to generate a refresh token on strapi ?
Or are there any recommendations on what to do for mobile application auth in Strapi ?

In my case, the auth will be using firebase and apple signin, which will then request my backend. I was thinking on generating a refresh token and control the auth from the backend side once the first authentification is done from the mobile.

[danielehrhardt]

Hello!
Thank you for your PR!
We will not merge your PR because we plan to do a complete review of the auth in Strapi.
So this will be reviewed at this time.

5 Months then we have two Years since your comment here. What is your Roadmap about this Topic?

[derrickmehaffy]

@danielehrhardt sorry plans have changed. It's most likely going to be sometime between Q2-Q4 of this year.

[devpurohit]

Will be eagerly waiting for this.