How to refresh a JWT token with devise-jwt

Question

Is there a way to refresh a JWT token provided by devise-jwt in Rails? Or is the best practice to force the user to re-authenticate?

This was actually answered in this issue: https://github.com/waiting-for-dev/devise-jwt/issues/7 — Such, Dec 14 '18 at 07:57
Not really answered in that thread @such ... the answer being "do it on every request" (without an example) or "use a different gem". — David Parker, Oct 25 '20 at 17:10

score 0 · Answer 1 · answered Oct 25 '20 at 17:51

What I ended up doing is this:

In my allowlist:

def self.jwt_revoked?(payload, user)
  # Hook in here to refresh token
  token = user.allowlisted_jwts.where(payload.slice('jti', 'aud')).first
  if token.present? && (SOME LOGIC ABOUT YOUR EXPIRATION HERE)
    token.update_column(:exp, Time.now + SOME TIME)
  end
  token.blank?
end

There I would check the expiration. For example, if your token lasts 60 seconds and you want to refresh if at least 30 seconds old. You could write:

if token.present? && token.exp < (Time.now+30.seconds)
  token.update_column(:exp, Time.now+60.seconds)
end

According to devise-jwt README, the `jwt_revoked?` hook now has to be added to the model depending of the Allowlist strategy. Here, user. — ldlgds, May 07 '23 at 13:49

ldlgds · Answer 2 · 2023-05-13T10:23:31.807

0

It now should be in case of an Allowlist like this:

models/user.rb:

def self.jwt_revoked?(payload, user)
  token = user.allowlisted_jwts.where(payload.slice('jti', 'aud')).order(created_at: :desc).first
  return true if token.blank?

  token.update(exp: Time.current + SOME_DELAY)
  false
end

edited May 13 '23 at 10:23

answered May 07 '23 at 15:42

ldlgds

123
1
7

How to refresh a JWT token with devise-jwt

2 Answers2