IS this Express JWT authentication REST API correct?
Unanswered
Rhinelander posted this in #help-forum
RhinelanderOP
Hey, I am trying to connects my backend auth with frontend. I am using OTP auth - passwordless. First I send OTP and then verify it, if OTP is correct i generate JWT token and add it to db
in "/token" i validate refresh token and generate new access token
Middleware
Logout
...
const payload = {
firstname: user.firstname,
lastname: user.lastname,
phone: user.phone,
role: user.role,
}
const accessToken = jwt.sign(payload, process.env.ACCESS_TOKEN_SECRET!, {
expiresIn: "15m",
})
const refreshToken = jwt.sign(
payload,
process.env.REFRESH_TOKEN_SECRET!,
{
expiresIn: "90d",
}
)
await prisma.refreshToken.create({
data: {
token: refreshToken,
userId: user.id,
},
})
...in "/token" i validate refresh token and generate new access token
jwt.verify(
refreshToken,
process.env.REFRESH_TOKEN_SECRET!,
(err: Error | null, payload: any) => {
if (err) {
return res.status(403).json({ error: "Invalid refresh token." });
}
const { firstname, lastname, phone, role } = payload as Payload;
const newAccessToken = jwt.sign(
{
firstname,
lastname,
phone,
role,
},
process.env.ACCESS_TOKEN_SECRET!,
{ expiresIn: "15m" }
);
res.json({ accessToken: newAccessToken });
}Middleware
const authHeader = req.headers["authorization"];
...more logic
jwt.verify(
token,
process.env.ACCESS_TOKEN_SECRET!,
(err: any, payload: any) => {
if (err) return res.sendStatus(403);
req.payload = payload;
next();
}Logout
await prisma.refreshToken.delete({ where: { token: req.body.token } });