You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I also have the problem which is somehow mentioned in this issue.
I preferred to create new issue because of the proper title and some clarifying.
As I know, we have to use auth/access token (which is fetched by login mutation) in our requests header to authorize and gain access to query mutations. Afterwards we just renew the token whenever it expires, using new token returned by refreshJwtAuthToken. Therefore we send previously fetched refresh token to refreshJwtAuthToken mutation.
But I have tried using both auth/access token AND refresh token in authorization header of a mutation request (for addPost mutation as an example) and both work!!
I think refresh token must not be valid as auth/access token for requests but it is!
This could be prone to attack because refresh token is long lived. Thus, if anyone steal it or even own it can use it for long time to query mutations on the server.
Am I wrong?
Could anyone help?
Thank you in advance.
The text was updated successfully, but these errors were encountered:
ModulesSoft
changed the title
Why both refresh and auth tokens are valid to authorize mutation requests?
Why both refresh and auth tokens are valid to authorize mutation requests?!
Nov 14, 2021
Hello guys,
I also have the problem which is somehow mentioned in this issue.
I preferred to create new issue because of the proper title and some clarifying.
As I know, we have to use auth/access token (which is fetched by login mutation) in our requests header to authorize and gain access to query mutations. Afterwards we just renew the token whenever it expires, using new token returned by refreshJwtAuthToken. Therefore we send previously fetched refresh token to refreshJwtAuthToken mutation.
But I have tried using both auth/access token AND refresh token in authorization header of a mutation request (for addPost mutation as an example) and both work!!
I think refresh token must not be valid as auth/access token for requests but it is!
This could be prone to attack because refresh token is long lived. Thus, if anyone steal it or even own it can use it for long time to query mutations on the server.
Am I wrong?
Could anyone help?
Thank you in advance.
The text was updated successfully, but these errors were encountered: