Authentication ReVisit #37
Description
The Authentication from the Backend needs refactoring.
- Registration
- Login
- Logout
- Server daily Cron to flush the Blacklist
Registration:
User email and password(hashed) is saved in the db.
Login:
Given input email and password(hash) match the db table if exist then create two tokens
Refresh token(long lived) and Access token(short lived).
According to the documentation, it is said that the refresh token and the access token is sent back to the client BUT WE DONT DO IT HERE.
we save the refresh token in the auth table(with user, password) and only send the access token to the client.
So when the token expire, the backend authenticate() should not throw the TokenExpire Exception immediately.
Rather it should try to create a new access_token by the refresh_token obtaining from the db. If it fails then the Exception should be issued.
Logout:
Logout functionality is pretty easy. The saved access_token from the client side will be deleted and then the refresh_token will be deleted from the db. Then the token will be added to the Blacklist according to the documentation so that the refresh token cant be used. But we needn't do that as the refresh token is not given to the client side.
Cron:
according to the documentation, It is said to flush the blacklist daily basis But as we dont send the refresh token to the client side so we dont need to do that