I have a system where the authentication is based around JWT. I have a JWT auth token, and a refresh token on the client. The refresh token is stored in the database on the server, and is used to refresh the JWT once the JWT expires every 12 hours - pretty standard setup I believe.
My issue is incorporating it in to my React Native project and handling token expiration. The user will likely be performing many API calls to their "protected" areas which require the JWT, but once the JWT expires it will send back a "UnauthorizedError" like so:
router.use('/protected', ejwt({secret: config.secret}));
//catch any errors if the JWT is not valid
router.use((err, req, res, next) => {
if (err.name === 'UnauthorizedError') {
res.status(401).send({
success: false,
error: "UnauthorizedError"
});
}
});
This will send back to the RN app that the JWT has expired, but at this point I would like the app to send another request back to the server generate a new JWT, but I'm not sure of a way to do this most efficiently for every API call initiated from my app. Each API call could call a function to check the server if the returned value is "UnauthorizedError", but I know this isn't the best way:
return AuthApi.someApiCall(token).then(response => {
if(response.success){
//do some success stuff
}else{
//this seems bad to be repeated for every API call
checkToken(response).then(() => {
dispatch(updateAuthToken());
});
}
})
I've been looking around and Redux middleware looks promising, but I don't know if there's a more established way perhaps, or anyone has any other thoughts?
Thanks!
Related
I need a sanity check on what I'm trying to do here.
I want to build a webapp with nextjs where people can log in with discord and as a backend API I want to use a aspnetcore web api.
I got next-auth to work with discord pretty quickly in the frontend. However I'm struggling on how to identify my frontend to my backend.
My plan at the moment is to have my backend create another JWT token and save that somewhere and then use it as the Authorization header in calls to the backend api.
next-auth has callbacks where I can edit the session and the token. So what I plan to do at the moment is just call the backendapi/createJwtToken endpoint, save it to the already existing next-auth token and then into the next-auth session.
Then I could access it anywhere and don't have to refresh until the session is gone.
I can do that with next-auth callbacks
callbacks: {
async session({ session, token, user }) {
session.backendApiToken = token.backendApiToken;
return session;
},
async jwt({ token, account }) {
if (account) { // this fires only on sign in
token.backendApiToken = "ABC - get it from backend/createToken";
}
return token;
},
Is this okay? I know how to create and validate tokens in an aspnetcore api.
Is something unsecure or strange about saving an encoded apiToken in the next-auth token? Or is this absolutely normal?
I'm trying to build SSR application using NextJS and apollo-client on the frontend, and graphql with express using (graphQL Yoga) on the backend.
I came from client side rendering background and things there are simpler than SSR when it comes to authentication, in regular client side rendering my approach to authenticate user was like:
1- once the user login after server validation, sign a JWT with current user data, then send it to the client side, and save it in localstorage or cookies, etc...
2- implement a loadUser() function and call it in the (root) App component's useEffect hook to load the user in every component (page) if the JWT in localstorage is valid.
3- if the JWT isn't there or is invalid just return user as null and redirect to login page.
so in Next.js i know we can't access localstorage cause it works server side, so we just save the token in a cookie, and the approach i implemented is painful and i was wondering if there is an pimplier way, my approach is like:
1- once the user login he calls the login mutation which sets a cookie in the req header, and return a user and any data i want.
2- in each page that requires authentication i need to get the token from the cookie to send it back in the header and i did that in getInitialProps() or getServerSideProps() cause both runs server side and have access to the request cookies in the header like so:
export const getServerSideProps = async ctx => {
const apolloClient = initializeApollo();
// get the cookies from the headers in the request object
const token = ctx.req.headers.cookie ? ctx.req.headers.cookie : null;
return {
props: {
initialApolloState: apolloClient.cache.extract(),
token: token
}
};
};
now i have access to the token in the page props and can send the token back with the req header with my apollo client like so:
let getUserQuery = await apolloClient.query({
query: GET_USER_QUERY,
variables: { id: ctx.params.id },
context: { headers: { token: token } }
});
now i have access to the token in the server side request like req.headers.token
what i wanna achieve:
1- is there an easier way to implement loadUser() that loads the user with every page render that i can implement in next.js custom _app , i found this answer but it doesn't return auth object or user in all components as he mentioned in his answer.
2- i read that if i set cookies httpOnly and credentials: "include" i have access to cookie in every request, but it seems that it doesn't work with apollo client, that would be awesome if there is an alternative approach.
3- there is apollo-link-context provided by apollo team where i can send a token or any value in every request's header using setContext() like so:
const authLink = setContext((_, { headers }) => {
// get the authentication token from local storage if it exists
const token = localStorage.getItem('token');
// return the headers to the context so httpLink can read them
return {
headers: {
...headers,
authorization: token ? `Bearer ${token}` : "",
}
}
});
but since i don't have access to localstorage i can't implement it cause next runs server side, so if anyone has an implementation for this please consider sharing.
PS. i made this thread after searching and reading for like 1 week and it's my last resort to ask you guys, and thanks in advance.
get token by store
store.getState()..path.to.your.token
the problem is that the token doesn't completely update when the blind changes and I'm looking for a solution.
I have a problem creating graphql server and checking auth. I automatically created schemas with Prisma, and I manually added to the schema by creating a 'signin' mutation. I have also added the jwt checking (auth) middleware, as shown in the following code:
server.express.post(
server.options.endpoint,
auth,
(err, req, res, next) => {
console.log('bb');
if (err) return res.status(401).send(err.message)
next()
}
)
The problem is that the token is checked even when the signin is done.
Is there a way not to confirm tokens when requesting signin interaction, or if so, how do I get over it?
(is it right that there isn't token when client doesn't signed in?)
In your auth middleware, you can access the Request (req). You could check to see which operation if called.
If you are calling the login operation, call next()
Otherwise, check the token
I'm using PassportJS along with openid-client and cookie-session in my Express server for authentication. I'm using openid-client's "Usage with Passport" as a starting point, and I'm currently able to authenticate successfully. Since I need an access token for APIs that are proxied through my server, I chose to save the access token in my user session with this bit of code:
passport.use(
'oidc',
new Strategy(
{ client, params, passReqToCallback, sessionKey, usePKCE },
(req, tokenset, userinfo, done) => {
logger.info('Retrieved tokenset & userinfo');
// Attach tokens to the stored userinfo.
userinfo.tokenset = tokenset;
return done(null, userinfo);
}
)
);
My next step is to get and store a new access token. Part of the information that comes with tokenset is the expires_at key, and it's set to expire in one hour. So of course, if it's close to expiring or has expired, I want to get a new token.
The documentation says to use:
client.refresh(refreshToken) // => Promise
.then(function (tokenSet) {
console.log('refreshed and validated tokens %j', tokenSet);
console.log('refreshed id_token claims %j', tokenSet.claims);
});
Okay, I understand that and I have that bit of code working as well. But I have no idea how to save it back into my user session. If I make a subsequent API call that's proxied through my server, I'll still have the old token in req.session.passport.user.tokenset.access_token. So how do I update that?
(I probably should put as a caveat I'm still very new to OpenID / Oauth authentication as well as Passport itself, so some of what I'm doing may be completely obvious.)
I have a working oauth2 authentication process where I get an access token (eg from facebook) using ember simple auth, send it to the back end which calls fb.me() and then uses JWT to create a token. This token is then sent back to the ember app, which then has to send it with every server request, include those requests made by ember-data.
I also need to have this token available after a browser reload.
I have tried many options, where I set a property 'authToken' on the session - I believe that this uses local storage to persist the authenticated session.
But I always seem to have trouble with coordinating the retrieval of this token - either I don't have access to the session, or the token is no longer on the session, or I can't change the ember data headers.
Does anyone have a working simple example of how this can be done - I think it should be easy, but I'm obviously missing something!
Thanks.
Update
The only thing I've been able to get working is to use torii as shown below, but the session content is still lost on refresh - I can see its still authenticated, but its lost the token I set here. So I'm still looking for a real solution.
authenticateWithGooglePlus: function () {
var self = this;
this.get('session').authenticate('simple-auth-authenticator:torii', 'google-oauth2')
.then(function () {
resolveCodeToToken(self.get('session'), self);
});
}
resolveCodeToToken gets the bearer token from the server, sets it on the session and then transitions to the protected page:
function resolveCodeToToken(session, route) {
var authCode = session.content.authorizationCode;
var type = session.content.provider.split('-')[0];
$.ajax({
url: 'http://localhost:4200/api/1/user/auth/' + type,
data: {authCode: authCode}
}).done(function (response) {
// todo handle invalid cases - where user is denied access eg user is disabled
session.set('authToken', response.token);
route.transitionTo('activity', moment().format('DDMMYYYY'));
});
}
And I have a custom authorizer for putting the token (stored in the session) on every request:
import Base from 'simple-auth/authorizers/base';
export default Base.extend({
authorize: function(jqXHR, requestOptions) {
var accessToken = this.get('session.content.authToken');
if (this.get('session.isAuthenticated') && !Ember.isEmpty(accessToken)) {
jqXHR.setRequestHeader('Authorization', accessToken);
}
}
});
I'm not sure why this.get('session.content.authToken') would be undefined after a refresh, I thought by default the session was persisted in local storage. The fact that it is authenticated is persisted, but thats useless without the token since the server will reject calls to protected endpoints.
You'd want to implement your own custom authenticator that first gets a token from Facebook and then sends that to your own server to exchange it for a token for your app. Once you have that you get authorization of ember-data requests as well as session persistence etc. for free.
Have a look at this example: https://github.com/simplabs/ember-simple-auth/blob/master/examples/7-multiple-external-providers.html