I'm using Django simple JWT to implement user authentication, I have done few adjustments so the access token and refresh token are sent as http-only cookies and everything works well
On the frontend I have implemented Persistent Login that would keep the user logged in when they refresh the page or close the browser etc.
But since I have enabled these settings:
"ROTATE_REFRESH_TOKENS": True,
"BLACKLIST_AFTER_ROTATION": True,
If the user keeps refreshing the page multiple times in a very short time, it might occur that a token is blacklisted before the user receives the new refresh token
is there a way to fix that? One possible fix yet I'm not sure of its reliability is disabling the automatic blacklisting and waiting for the frontend to send a request upon receiving the new refresh token, the request containing the old refresh token in its body like this
@api_view(['POST'])
def blacklist_token(request):
refreshToken = request.data.get("refresh")
print(refreshToken)
if refreshToken:
token = tokens.RefreshToken(refreshToken)
token.blacklist()
return Response(status=status.HTTP_200_OK)
PS: Using React.js on the frontend
Refreshing a page should not require a token refresh. Instead the backend should receive and use the existing access token (from the HTTP only cookie).
When the access token expires, the backend should return a 401 unauthorized response to the frontend. The frontend can then perform a synchronized token refresh.
This copes reliably with multiple views getting data concurrently. If only a single view gets data at a time, it is safe to initiate the token refresh server side instead.
Eventually, the refresh token will also expire. In OAuth 2.0, the authorization server returns an invalid_grant error code in this case. The frontend then redirects the user to authenticate again.
I would recommend rehearsing these expiry events, since that's a great way to ensure a reliable app, where the user never experiences unnecessary errors.