Refresh JWT route

[yusufiga]

Informations

• Node.js version: 9.11.2
• npm version: 6.2.0
• Strapi version: 13.0.1
• Database: mysql
• Operating system: Debian

What is the current behavior?

Hi, I'm trying to use strapi as a backend for my Android project but I have a question regarding JWT. How can I refresh JWT before it expires without requesting user to login again? I can not just ask my app users to login every month. It doesn't fit to mobile app flow.

Steps to reproduce the problem

What is the expected behavior?
There should be an api to refresh JWT with existing token.

Suggested solutions

[lauriejim]

Hello @yusufiga. This feature actually not exist.

We are currently on another feature and bug fix. Since time is lacking on our side, feel free investigate and submit a PR, we’ll appreciate your contribution on this issue!

Check out the contributing guide to get started: https://github.com/strapi/strapi/blob/master/CONTRIBUTING.md

[derrickmehaffy]

@yusufiga Strapi uses an Auth0 Lib for the handling of JWT. There is an entry on its README.md: https://github.com/auth0/node-jsonwebtoken#refreshing-jwts

With some links to an example, an issue, and a PR.
https://gist.github.com/ziluvatar/a3feb505c4c0ec37059054537b38fc48
auth0/node-jsonwebtoken#122
auth0/node-jsonwebtoken#172

But I do agree that a non-refreshing token and logging in every 30 days on an app would be mildly annoying.

[yusufiga]

Thanks for hint @derrickmehaffy. Unfortunately without refresh JWT, authentication is more or less useless for mobile. Since I'm not familiar with nodejs or koa, it would be nice if someone can just help me to get refresh JWT feature to strapi.

[bahdcoder]

@lauriejim, @derrickmehaffy are you working on this? If not, I can have a look and implement this feature.

[derrickmehaffy]

@bahdcoder No I feel this is probably above my skill level, but it would be nice to have. I know some of the OAuth providers also provide refresh keys (Discord comes to mind) So those should also be taken into account.

If you're up to take a look, it would be really awesome. :)

[lauriejim]

Hello @bahdcoder, we are not working on this feature. We will appreciate your contribution on it !

[derrickmehaffy]

the alternative (and quite a terrible and insecure way to handle it) @yusufiga is to cache their login information and refresh the token on the app side.

[yusufiga]

@derrickmehaffy Yes it's an alternative but as a user I wouldn't agree on keeping password on the device. I mean I can keep it encrypted but still it's not nice to keep user's password somewhere in the device.