3

I'm using directus to grant users access to ressources required by an SPA written in Angular. To authenticate users I created an auth service and interceptor to handle sessions and attach the "Authorization" header. Those services work fine and login as intended. But here comes the problem:

Directus session times are configured with default values (15 min validity for access_token, 7d for refresh_token) but as soon as the access_token expires I cannot retrieve a new one using the refresh token. This bugs me, because the goal is to keep users logged in for the next 7d (refresh_token lifespan) or until logout if they check this option.

My attempts at achieving this:

  • Since i'm using graphQL, i tried the "auth_refresh" mutation from the authentication documentation. While the access token is still valid, refreshing works fine. After the access token expired there is no way to retrieve a new one via a valid refresh token.

  • Alternatively I tried to achieve a refresh via the POST request specified by the docs (to double check if it was some sort of config error with graphql) but I encounter exactly the same problems as with graphQL. Directus returns either "401 unauthorized : Token expired." if i extend the lifespan of the access token for longer than the server defined lifetime,

    Response: Sending a token with prolonged life

    or "401 unauthorized : Invalid user credentials." if I request a new token without an "Authorization" header.

    Response: Sending no access token

    The refresh token is correctly loaded and sent to the server as specified in the docs in both cases.

Now my questions are:

  1. Am I missing something? I haven't found any further specification in the docs and the Auth0 protocol specifies that a new access token should be retrievable with a valid refresh token.
  2. If this feature is not intended: How could I achieve a "keep me signed in" option with directus? I would like to keep user rights management in one place and do not really want to handle user auth redundantly for my current use case. 2b. Why is the lifespan of the refresh token so much longer than the lifespan of the access token if this isn't intended?
  3. One of my thoughts is, that it has to do with access rights of the "public" role on the "directus_sessions" table. But I can't think of a way to grant only read rights for owned/received tokens, since there are no payload variables available inside the filters. Could this be the cause? Would there be a way to achieve this?

Thx&Greetz

DerSkillBaumApfel
  • 31
  • 4
  • Same problem here... Have you found a solution for this? Thank you. – moreirapontocom Nov 16 '21 at 15:03
  • I switched over to using REST for auth requests. Seems to work as expected now. This is most likely a bug regarding the graphql endpoint, but I haven't done any further research what exactly is the root cause by now. – DerSkillBaumApfel Dec 13 '21 at 02:29

0 Answers0