Jwt-auth: JWT_BLACKLIST_GRACE_PERIOD not working when refreshing tokens

Created on 10 May 2017  路  3Comments  路  Source: tymondesigns/jwt-auth

I'm using:

  • Angular 4.1.1 (front-end)
  • Laravel 5.4.19 (back-end / api)

Situation:

Every HTTP Request in Angular is wrapped with a interceptor that checks the current token using angular2-jwt _(v0.2.3)_.
If the token has expired a new Request is sent to the API to refresh it using this package
_(v1.0.x-dev 9f759fe)_.
The problem starts when the page requires multiple requests to fetch all the data required, triggering more than 4 refresh-token requests. One of the requests does it's job and returns 200 OK status.
But a part of it's job is to blacklist the old token, now all the other requests that try to get a new token are using a blacklisted token and return 403 Forbidden status and break all the following requests.

Using the JWT_BLACKLIST_GRACE_PERIOD seems like the logical solution, but i can't seem to get it to work. I've set it to 5, 10, 100, 1000... seconds inside my projects .env file but the problem seems to persist in the exact same manner.

Am I doing something wrong?
I've tried to find a solution on the net but nothing seems to fix the issue. I've looked at most of the ISSUES concerning Refreshing Tokens here but nothing seemed to solve the issue I'm having.

Thank you for your time.

picture mihailo-misic
👍3

Most helpful comment

@mihailomisic Check your refresh endpoint. If you're seeing JWTAuth::refresh(true) then it means the blacklist is forever and the grace period is ignored.

picture rickshawhobo on 10 May 2017
👍3

All 3 comments

@mihailomisic Check your refresh endpoint. If you're seeing JWTAuth::refresh(true) then it means the blacklist is forever and the grace period is ignored.

rickshawhobo picture rickshawhobo on 10 May 2017
👍3

Hmm it's a bit different. Let me explain the process I'm currently refreshing the token.

Ahhhh writing this I've solved my problem thanks to you pointing out the refresh part!

On each request Angular checks if the token is valid, if it's not my HttpService sends a request to my api targeting the Route::post('refresh-token', 'Api\ApiLoginController@refreshToken') endpoint with the token inside Request Headers (Authorization).

This is what ApiApiLoginController@refreshToken _(wrong)_ looks like:

$token = JWTAuth::getToken();
if (!$token) {
    return response()->json([
        'status'  => 'error',
        'message' => 'Token no proporcionado.',
        'data'    => null
    ], 401);
}

$token = JWTAuth::refresh($token); // <--- THE PROBLEM

return response()->json([
    'status' => 'ok',
    'data'   => [
        'token' => $token
    ]
]);

This is what ApiApiLoginController@refreshToken _(correct)_ looks like:

$token = JWTAuth::getToken();
if (!$token) {
    return response()->json([
        'status'  => 'error',
        'message' => 'Token no proporcionado.',
        'data'    => null
    ], 401);
}

$token = JWTAuth::refresh(false); // <--- THE FIX

return response()->json([
    'status' => 'ok',
    'data'   => [
        'token' => $token
    ]
]);

The Issue was my bad, thank you for the answer.
Everything seems to be working just fine now! :)

mihailo-misic picture mihailo-misic on 11 May 2017
👍1

@mihailo-misic looks like this is not invalidating old token

sumit22 picture sumit22 on 30 Oct 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gamelife1314 picture gamelife1314  路  3Comments
agneshoving picture agneshoving  路  3Comments
hfalucas picture hfalucas  路  3Comments
marciomansur picture marciomansur  路  3Comments
harveyslash picture harveyslash  路  3Comments