I have just tried JWT auth with LARAVEL and this https://github.com/tymondesigns/jwt-auth
But there's something i can't understand. In their config they put :
'ttl' => env('JWT_TTL', 60), // in munutes
'refresh_ttl' => env('JWT_REFRESH_TTL', 20160), // in minutes
What i understant : the token's live is 1hour and can be refreshed within 2 weeks
But after 3hours, if i try to query something, it says "token expired".
Does this system mean, a user must get his token updated / refreshed within every hour but with a limit of 2 weeks ? I don't get it.
How can a user persist login with this kind of system ? How is the refresh Token useful when after the first hour, though it hasn't been 2 weeks yet, i can't get a fresh token ?
thanks
UPDATE: CODE
config/jwt.php
'ttl' => 2, // 2 minutes
'refresh_ttl' => 5, // 5 minutes
routes/api.php
Route::post('/login', 'AuthController@login');
Route::get('/test', 'AuthController@test')->middleware('jwt.auth', 'jwt.refresh');
Http/Controllers/AuthController
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use JWTAuth;
use Tymon\JWTAuth\Exceptions\JWTException;
class AuthController extends Controller
{
    public function test()
    {
        return response()->json(['coucou' => 1]);
    }
    public function login(Request $request)
    {
        // grab credentials from the request
        $credentials = $request->only('email', 'password');
        try {
            // attempt to verify the credentials and create a token for the user
            if (! $token = JWTAuth::attempt($credentials)) {
                return response()->json(['error' => 'invalid_credentials'], 401);
            }
        } catch (JWTException $e) {
            // something went wrong whilst attempting to encode the token
            return response()->json(['error' => 'could_not_create_token'], 500);
        }
        // all good so return the token
        return response()->json(compact('token'));
    }
}
AND THIS IS THE FLOW :
request to /login with {username: xxx, password: xxx} response of /login > {token: xxxxxxx}
request to /test straight after (10 secs) with Bearer xxxxxx response of /test > the good json response with NEW TOKEN in HEADER
request to /test after 3 minutes (so 3mins 10 secs have past now, less than the 5min of refresh limit) response of /test > token expired
I don't understand.
After the access token is expired you can use the refresh token to get a new access token without asking the user to input his username and password again. Only after the refresh token is expired, the user needs to login again.
But after 3hours, if i try to query something, it says "token expired".
that's because the access token is expired.
Does this system mean, a user must get his token updated / refreshed within every hour but with a limit of 2 weeks ? I don't get it.
yes. You keep the refresh token in your client system and use it to request a new access token when the access token is expired.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With