Rest – How to handle JWT expiry in Laravel 5.3

apijwtlaravelrestSecurity

I am developing a mobile application back-end service using Laravel 5.3. I am following REST API.
Application having payment gateway integration and it needs more security.

I followed JWT auth by using the tymon/jwt-auth library for laravel.

I have few concerns: my token getting expired after 1 hour, after that server returning token expired error; and how can the app developer handle this situation? Asking user to log in again and again, is not possible.

How can app developer handle it?

What is the best and more secure approach?

Best Answer

If the token expires during the navigation, jwt-auth library allows you to refresh expired tokens, you should check out the documentation on GitHub.

If necessary, you can still access to user details even if a token has expired, and it gives you the benefits of deciding whether asking the user login again, logging in the user automatically again, or send the an email that gives an option to login directly from it.

If you are afraid that tokens get hijacked, you can blacklist tokens as soon as an user completes the payment, or you can even blacklist expired tokens just to make sure that they are never used again.

Related Solutions

REST API Authentication – Cookie vs Web Storage

Use both.

In your mobile app, you have better control over the code that runs and can avoid XSS vulnerabilities. So storing the token is not so problematic and you can have your code pass it to the API

In your webpage you do have to worry more about injected code, so use the secure cookie to store the token and have the browser pass it automatically

After all the API just has to read the token from the request. It can look in the Headers and the Cookies no problem and be hosted behind multiple domains

C# API – How to Handle Failed API Calls in C#

What I'd like to do is when the response has a status of 401 - Unauthorized, instead of throwing an exception or returning an object with an error message, the method should try to refresh the token (calling the appropriate method in another service) because it could be expired and just if the call fails again, throw the exception. I'd like to have this behavior for all the API calls.

That sounds like a great idea.

Let's start with a helper method to do exactly that:

public class ApiHelper : IApiHelper
{
    ...
    public async HttpContent GetAuthenticatedAsync(string requestUri)
    {
        var response = await ApiClient.GetAsync(requestUri);

        // Pseudo code:
        //
        // if (200): return response.Content
        // if (401): 
        //   refresh token
        //   try GetAsync again
        //   if (200): return response
        //   else: throw meaningful exception - something is wrong with our credentials
        // else: throw meaningful exception - unexpected return value
        ...
    }
}

Then I'd use encapsulation to ensure that your business logic can't accidentally bypass your helper method: Make ApiClient private and add new low-level helper methods as needed.

You have now taken the first step to abstract away the transport mechanism. This improves readability of your business logic, since the code there can now concentrate on solving problems in your problem domain, rather than dealing with issues on the transport layer. If you always use the same deserialization logic, it might make sense to put that into ApiHelper as well (e.g. some public async TResult GetAuthenticatedAsync<TResult, TResultMessage>(string requestUri)).

It will also make unit testing easier: Authentication issues should be tested by testing ApiHelper, not by testing MemberService.

Best Answer

Related Solutions

REST API Authentication – Cookie vs Web Storage

C# API – How to Handle Failed API Calls in C#

Related Topic