Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why both refresh and auth tokens are valid to authorize mutation requests?! #144

Open
ModulesSoft opened this issue Nov 14, 2021 · 1 comment

Comments

@ModulesSoft
Copy link

ModulesSoft commented Nov 14, 2021

Hello guys,

I also have the problem which is somehow mentioned in this issue.
I preferred to create new issue because of the proper title and some clarifying.

As I know, we have to use auth/access token (which is fetched by login mutation) in our requests header to authorize and gain access to query mutations. Afterwards we just renew the token whenever it expires, using new token returned by refreshJwtAuthToken. Therefore we send previously fetched refresh token to refreshJwtAuthToken mutation.

But I have tried using both auth/access token AND refresh token in authorization header of a mutation request (for addPost mutation as an example) and both work!!
I think refresh token must not be valid as auth/access token for requests but it is!

This could be prone to attack because refresh token is long lived. Thus, if anyone steal it or even own it can use it for long time to query mutations on the server.

Am I wrong?
Could anyone help?

Thank you in advance.

@ModulesSoft ModulesSoft changed the title Why both refresh and auth tokens are valid to authorize mutation requests? Why both refresh and auth tokens are valid to authorize mutation requests?! Nov 14, 2021
@ModulesSoft
Copy link
Author

This is an article for developers who may need to know about a possible solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant