Jwt-auth: Refresh not working when token is expired but still within the refresh ttl

Created on 4 Jan 2018 · 9Comments · Source: tymondesigns/jwt-auth

Hey 🙂

I have set up a installation of laravel 5.5 with tymon/jwt-auth:1.0.0-rc1 and everything works great, except for 1 thing it seems (or maybe I don't understand it quite right).. I have had everything at the default settings and just followed the 1.0 wiki.

I create a token, then wait around 2 hours (to make sure the token is expired) and then when I try to refresh the token it responds with Unauthorized., when I try to refresh before the token has expired it works great.

Is this a bug or am I just not understanding it right? I expected to be able to refresh the token even when it is expired because of the JWT_REFRESH_TTL but that doesn't seem to work.

I don't know if I have provided you with enough information so if you need more information just ask 😄

Thanks in advance!

Edit: Could it be that this happens because it blacklists the old token before it creates a new token or something like that?

stale

Source

luukhoeben

Most helpful comment

I have made some progress, although I don't really know if it is the proper way to do it..

In the docs for 1.0.0-rc1:

$this->middleware('auth:api', ['except' => ['login']]);

So the refresh route is protected, but ofcourse it doesn't get through the auth middleware when the token is expired, so I added the refresh route like this:

$this->middleware('auth:api', ['except' => ['login', 'refresh']]);

I don't know if this has negative side effects or maybe they have forgotten to add it in the docs?

luukhoeben on 9 Jan 2018

👍13 🎉4 😄3

All 9 comments

I have made some progress, although I don't really know if it is the proper way to do it..

In the docs for 1.0.0-rc1:

$this->middleware('auth:api', ['except' => ['login']]);

So the refresh route is protected, but ofcourse it doesn't get through the auth middleware when the token is expired, so I added the refresh route like this:

$this->middleware('auth:api', ['except' => ['login', 'refresh']]);

I don't know if this has negative side effects or maybe they have forgotten to add it in the docs?

luukhoeben on 9 Jan 2018

👍13 🎉4 😄3

I think it should be forgotten to add to the document, because it does correct the refresh is correct.

medz on 23 Jan 2018

@medz Are you not supposed to be able to refresh after the token has expired then? Or what do you mean?

luukhoeben on 23 Jan 2018

@luukhoeben Your code is success, The docs is wrong.

medz on 23 Jan 2018

@medz Ah okay haha I thought you meant it is correct in the docs, sorry about that 🙂 I don't really know if there is a better way to do this though but this works at least. If someone knows a better way, I'd like to know ^^

luukhoeben on 23 Jan 2018

@lucasmichot 😂I like your avatar.

medz on 23 May 2018

How about, you found some way to fix this. I'm having the same error. I'm working with angle and interceptors. When I refresh the token, it turns out that it can not be because it's expired. Please help.

Bolhy10 on 14 Jun 2018

👍3

Write in /app/Exceptions/Handler.php in render():

if (($exception instanceof TokenExpiredException)) {
return response()->json(['error' => 'Token has expired and can no longer be refreshed'], Response::HTTP_UNAUTHORIZED);
}

in frontend: if 401 -> redirect to login