Add "refresh token" functionality to retrieve new tokens

[mrsheepuk]

Glaring security hole with the code here means that if anyone compromises a single active token, they could remain logged in forever, even if the user changed their password or "logged out".

To fix this, refresh tokens must be implemented, which can be revoked.

[SHAliakbari]

Could you provide an example of implementing refresh token .
I followed the link you provide but i can not figure it out .

[mrsheepuk]

I've not had the need to implement it yet, but the basic concept is you generate a long-lived token which can only be used to request new tokens, not for direct access to the API. The long-lived token will be verified when you access the token-request end-point against revocation data from your underlying data source, before generating a new short-lived token which can then be used to access all your API end-points (which then don't need to check revocation data in your data source).

It's particularly important in the case of an app on a phone, where typically you log in once after installing the app then never again, therefore have a token of some sort which is valid indefinitely. It's less important on a website where you can simply choose to expire logins after a given period and have the user re-log-in. It depends on your use-case.