Token and session management #34
Conversation
| const { accessToken } = this.tokens(); | ||
| if (accessToken) { | ||
| try { | ||
| const decodedAccessToken = jwtDecode(accessToken); |
There was a problem hiding this comment.
Is this the right way to do this? We're only expiring the token here on the client, correct? This means with a malicious client we can never expire them since we only check the expiration via the client's token.
This is my first time looking at this code, so definitely could be overlooking something.
There was a problem hiding this comment.
The access token expires by itself over time. The access and refresh tokens are created and stored server side.
| // Access token is expired, try to request a new token pair | ||
| await this.refreshSession(); | ||
| } else { // Access token is still valid, resume the session | ||
| this.store.dispatch(setUser(decodedAccessToken.data.user)); |
There was a problem hiding this comment.
Are we storing all the data locally here?
In general not seeing where data is being sent to the server and retreived. can you point it out?
There was a problem hiding this comment.
When the access token is created the essential user data "id, username, email" are encoded within it and returned to the client. This data is also stored server side.
There was a problem hiding this comment.
where do we actually send the data to the server?
There was a problem hiding this comment.
The this.transport.someMethod calls send data to the server, the transport is a separate package and provided to the Accounts.config in initialization.
No description provided.