Jwt-auth: Refresh middleware

Created on 6 Jun 2018  路  4Comments  路  Source: tymondesigns/jwt-auth

Subject of the issue

I'm using middleware('auth:api', ['except' => ['login']]) in constructor as provided in jwt wiki.
As I good undestand JWT I should be able to refresh token without having valid token, but the token should be valid only for refresh (because Refresh TTL is longer than normal token TTL) - but if I use this middleware I can't refresh token after normal TTL pass, because it says 'Unauthorized' even though the TTL for refresh didn't pass.

Shouldn't the middleware be set to except ['refresh'] too?

Your environment

| Q | A
| ----------------- | ---
| Bug? | yes
| New Feature? | no
| Framework | Laravel
| Framework version | 5.6
| Package version | 1.0.0
| PHP version | 7.2

Steps to reproduce

Use middleware('auth:api', ['except' => ['login']]) in AuthController

Expected behaviour

Token refresh without being authorized, just the token check

Actual behaviour

Can't refresh token without having valid normal ttl token

stale
Source
picture davidoskay

Most helpful comment

@bauersfeld no reply from developers, so for now my solution is as I wrote:
$this->middleware('auth:api', ['except' => ['login', 'refresh']]);

picture davidoskay on 13 Jun 2018
👍5

All 4 comments

I'm having the same issue. It appears that the config setting for refresh_ttl is not being respected by the refresh method. Any recommendation on how to refresh an expired token that has not exceed the refresh_ttl setting?

bauersfeld picture bauersfeld on 13 Jun 2018

@bauersfeld no reply from developers, so for now my solution is as I wrote:
$this->middleware('auth:api', ['except' => ['login', 'refresh']]);

davidoskay picture davidoskay on 13 Jun 2018
👍5

Don't use any middleware. I just use next controller

<?php

namespace App\Http\Controllers;

use App\Http\Controllers\Controller;
use Tymon\JWTAuth\Exceptions\TokenBlacklistedException;
use Tymon\JWTAuth\Exceptions\TokenExpiredException;


class RefreshController extends Controller
{
    public function refresh()
    {
        try {
            return auth()->refresh();
        } catch (TokenExpiredException $e) {
            //Do something 
            return $e->getMessage();
        } catch (TokenBlacklistedException $e) {
            return $e->getMessage();
        } catch (\Exception $e) {
            return $e->getMessage();
        }
    }
}
ifreesec picture ifreesec on 19 Jun 2018

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] picture stale[bot] on 25 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

marijang picture marijang  路  53Comments
punnawat picture punnawat  路  30Comments
rajabishek picture rajabishek  路  49Comments
jxlwqq picture jxlwqq  路  26Comments
shantudash picture shantudash  路  22Comments