I am using jsonwebtoken in NodeJs API application for authenticating user in my API application. The flow that I have setup is as follows:
1) The user registers through signup API and the access token is generated using the following:
var jwt = require('jsonwebtoken');
var token = jwt.sign(user, _conf.authentication.superSecret, {
expiresIn: 1440 // I intend to keep it short.
});
2) The token expires in 24 hours for example. This token is returned to the client mobile application to use as header in all the subsequent API requests.
I want to know how do I work around with refresh token for jwt. Currently I don't have a mechanism for refreshing token. Hence if the token expires in 24 hours I want the client (mobile app) to be able to request a new access token. Thanks in advance.
I had same problem in a project.
1) I created the refresh token and returned it when user signed in (with the jsonwebtoken). I saved the refresh token with the user.
2) When client send a request with the expired token, server returns 401.
3) I implemented a new path to refresh the token. It receives the refresh token and the user as param and returns a new token (jsonwebtoken).
4) (optional) You can implement a mechanism for invalidating a refresh token, in case someone stole it
I based my implementation in this post, really good snippets:
Refresh token in JWT (Node.js implementation)
Hope it helps