<figure class="image"><img src="https://images.unsplash.com/photo-1533988902751-0fad628013cb?ixlib=rb-1.2.1&amp;q=80&amp;fm=jpg&amp;crop=entropy&amp;cs=tinysrgb&amp;w=1080&amp;fit=max&amp;ixid=eyJhcHBfaWQiOjExODA5M30"><figcaption>Photo by: <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@zisun_word?utm_source=unsplash-chrome-extension&amp;utm_medium=referral">ZSun Fu</a></figcaption></figure><p>Here are how we implement authentication using feathers in DNA.</p><p>We first login user using username and password with a "local" strategy, like:</p><pre><code class="language-plaintext">{
   "strategy": "local",
   "email": "adam@deniapps.com",
   "password": "adam123$"
}</code></pre><p>Then, we save the returned access token in local storage, and then we check if the token is expired or not when the user loads the page (the logic is in layout.js.) The user does not need to re-login until the token is expired. But our jwt token is set to expire in 1 day, so it causes some issues on the post editing page. Says we logged in yesterday at 10 am and started writing a post at 9:40 am today, so we have only 20 mins left before the jwt token is expired. While we are writing, the jwt token could be expired already, then when we click on the Publish button at 10:10 am, for example, we go the "NotAuthenticated" error.</p><p><strong>Updated:</strong> We don't save JWT in the localStorage anymore, instead, we use httpOnly cookie. <a target="_blank" rel="noopener noreferrer" href="https://deniapps.com/blog/save-jwt-to-httponly-cookie-instead-of-localstorage">Check it out</a>.</p><p>So how to fix this? Somehow we need to auto-renew the jwt token, but when? Our editing page has an auto-save function, which is called every time user inputs something, so we can add the jwt renewal logic there:</p><pre><code class="language-javascript">onAutSave = () =&gt; {
// if jwt expires?
// yes, show alert popup -&gt; logout
// else, will jwt expires in 5 mins?
// yes, renew it
// continue;
}</code></pre><p>We do cover the case that users may be idle for a long time, but when they come back, and input something, it will trigger onAutoSave, and they will see the logout alert. So it's not bad, isn't it? If we really need, we could add idle checking as well to logout the user or extend the session.&nbsp;</p><p>Then back to another issue, the feathers JWT authentication method does not support auto-renewal out of the box, when we call the authentication function using the jwt strategy and current access token, it will return the same access token if the token is not expired. Good thing is that we can have a custom JW strategy function to regenerate the token.</p><pre><code class="language-javascript">
const { JWTStrategy } = require("@feathersjs/authentication");

module.exports = class CustomJWTStrategy extends JWTStrategy {
  async authenticate(authentication, params) {
    // run all of the original authentication logic, e.g. checking
    // if the token is there, is valid, is not expired, etc.
    const res = await super.authenticate(authentication, params);

	// and now the key trick - by deleting the accessToken here
    // we will get Feathers AuthenticationStrategy.create()
    // to generate us a new token.
    delete res.accessToken;
    return res;
  }
};</code></pre><p>The above code is borrowed from <a target="_blank" rel="noopener noreferrer" href="https://www.kn8.lt/blog/dynamic-session-length-in-feathers-for-optimal-ux/">kn8.it.</a> Karolis provided the solution to dynamic extend the JWT token session length,<strong> </strong>but<a target="_blank" rel="noopener noreferrer" href="https://www.kn8.lt/blog/dynamic-session-length-in-feathers-for-optimal-ux/"> </a>In our case, the JWTStrategy is solely used to renew access token, so no need to check oat (original issuing timestamp), etc.&nbsp;</p><p>The solution here could be an issue if someone got our token, which is supposedly expired in 1 day, but now they can call the authentication function with it before it's expired to get an unlimited access token. But I think the security behind the JWT token is assuming the bad guy won't see our token, otherwise, it's already big damage. What do you think?</p>

In Feathers, JWT tokens are stateless with expiration date. After expiration, we need to relogin to get a new one. For a better UX, especially users are writing a very long post, the expired token could cause unsaved draft. By default Feathers' jwt strategy does not return a new jwt token, but this could be customized, then to be used for our purpose - JWT Token Auto Renew.

JWT Token Auto Renew in FeathersJS 

<p>AWS provides us Amazon Cognito User Pools, which could be used as authorizer to control access to our application. Per <a target="_blank" rel="noopener noreferrer" href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html">Amazon Doc</a>: &nbsp;Amazon Cognito user pools implement ID, access, and refresh tokens as defined by the OpenID Connect (OIDC) open standard:</p><ol><li>The <a target="_blank" rel="noopener noreferrer" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken">ID token</a> contains claims about the identity of the authenticated user such as <code>name</code>, <code>email</code>, and <code>phone_number</code>.</li><li>The <a target="_blank" rel="noopener noreferrer" href="https://tools.ietf.org/html/rfc6749#section-1.4">access token</a> contains scopes and groups and is used to grant access to authorized resources.</li><li>The <a target="_blank" rel="noopener noreferrer" href="https://tools.ietf.org/html/rfc6749#section-1.5">refresh token</a> contains the information necessary to obtain a new ID or access token.</li></ol><p>When we sign in the user pool using Amplify, we will obtain all those three tokens.&nbsp;<br>&nbsp;</p><figure class="image"><img src="https://images.unsplash.com/photo-1475701240414-7842311479e7?ixlib=rb-1.2.1&amp;q=80&amp;fm=jpg&amp;crop=entropy&amp;cs=tinysrgb&amp;w=1080&amp;fit=max&amp;ixid=eyJhcHBfaWQiOjE1NDAxMH0"><figcaption>Photo by <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@genessapana?utm_source=DNX&amp;utm_medium=referral">Genessa Panainte</a> on <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/?utm_source=DNX&amp;utm_medium=referral">Unsplash</a></figcaption></figure><h3>Which Token to Call API?</h3><p>Normally, the ID token is for Authentication, and the access token is for Authorization. When calling the API method, we typically set the token to the request's Authorization header. So, it sounds like we should use the access token, doesn't it? Based on the doc, we could use either the ID token or the access token. However, &nbsp;as we tested, <strong>we should use the ID token</strong>. That's because:</p><ol><li>The ID token is used to authenticate users to our resource servers or server applications (ex: API)</li><li>The purpose of the access token is to authorize API operations in the context of the user in the user pool. For example, you can use the access token to grant your user access to add, change, or delete user attributes.</li></ol><h3>What's the Refresh Token?</h3><p>Usually, we set the access token/the ID token expiration to be much shorter than the refresh token expiration. And then when the access token/the ID token expires, we can use an unexpired refresh token to get a new access token/ID token without asking users to re-login. The reason behind this is that the access token/the ID token is used to API method, in case they are stolen, the short expiry time could help minimize the damage.&nbsp;</p><h3>Will the Refresh Token Expires?</h3><p>Yes, with Amazon Cognito User Pool, we can set the app's refresh token expiration to any value between 60 minutes and 10 years.&nbsp;</p><h3>How to Check if the Refresh Token Expired or Not?</h3><p>Different to the access token/the ID token, which is the JWT token where we can get the expiration date, we cannot tell if the Refresh Token Expired or not from the token. But we can tell it from the auth_time of the refresh token/the ID token. For example, we set the refresh token expiration to 1 day, then we can use the following equation to get the refresh token expiration DateTime:</p><pre><code class="language-javascript">const authTime = user.signInUserSession.accessToken.payload["auth_time"];
const refreshTokenExpirationTime = 
	new Date(authTime * 1000 + 24 * 60 * 60 * 1000)</code></pre><h3>Possible Issues When Refresh Token is Expiring</h3><p>We set the access token expiration to be 60 mins, and the refresh token expiration to be 1 day. We use the Amplify library, which auto-refreshes the token when the access token expires, we basically get the 1-day session duration. Note that when the refresh token expires, the user has to re-login to get the new access token, ID token, and refresh token. So if the user is working on something when both the ID token and the refresh token are expired, then the unsaved work will be lost.</p><p>To understand how this works, let us use an example:</p><ul><li>The user logged in today at 9:00 am, he got an&nbsp;accessToken (valid until 10:am) and a refresh token (valid until 9 am tomorrow)</li><li>He comes back at 10:30 am, and his access token expires, but he is still logged in because his session is refreshed by the refresh token and he gets the new access token (valid until 11:30 am) and his refreshToken is still valid until 9 am tomorrow.</li><li>He comes back tomorrow at 8:30 am, he is still logged in, again thanks to the refresh token, and he gets a new access token valid until 9:30 am, then there is an issue because at 9:31 am, he has to re-login since&nbsp;his refresh token will be&nbsp;expired at that time. So his unsaved work will be lost at 9:31 am.</li></ul><h3>How to Handle When Refresh Token is Expiring</h3><p>If your application has an auto-save feature, like Gmail App, then how the refresh token works as we discussed above should be fine. Otherwise, we may look into some solution to manually log out the user at the right time to avoid losing unsaved work.</p><h4>Solution One</h4><p>Log out the user when the refresh token is about to expire in 60 mins, and we can check this when the page loads and when the user is active right after idle. In the other words, if the refresh token is not expired in 1 hour, then the user could get one more refresh, which could mitigate the session losing.&nbsp;</p><h4>Solution Two</h4><p>Implement the strict mode, for example, log out the user after the idle time is more than &nbsp;15 mins, which could be a popup to allow the user to extend the session (by setting a longer refresh token expiration.) Also, log out the user when we detect the refresh token expiration time is in a day at the initial page load. But this solution will sacrifice the benefit of the refresh token.</p><p>We know both solutions are not great. So if you have any ideas, please leave your comments.</p>

AWS provides us Amazon Cognito User Pools, which could be used as authorizer to control access to our application. The article will explain all three tokens implemented by Cognito User Pools, and discuss some common questions of how to use those tokens.

All Posts In Jwt