Describe the story
Issue a refresh token in the sign in response. Refresh token expiration is configurable and defaults to 24h.
Allow users to exchange a refresh token for a new access token.
Requirements
Configuration
- Add an application configuration variable named
JWT_REFRESH_EXPIRES_IN which may be expressed as a time span string such as "24h". Default value is "24h".
Auth Service
- In the
signIn function, generate and return a refresh token and return it in the response
Auth Controller
- In the
signIn handler
- Return the refresh token in the API response.
- Add a new
POST /token endpoint
- Request body
refreshToken - A refresh token
- Verify the refresh token
- If the refresh token is not expired and the user exists for the
sub in the payload, generate a new accessToken and return it in the response.
- If the refresh token is expired or the user does not exist, return HTTP 400 bad request.
Infrastructure
- Add the refresh token expiration configuration variable to the infrastructure and pass it to the Application container (not the Scheduled Task container). Variable name is
CDK_APP_JWT_REFRESH_EXPIRES_IN.
Documentation
- Update the configuration guide
- Update the infrastructure guide
Acceptance criteria
GIVEN the user has valid credentials
WHEN a user calls the sign in endpoint
THEN the response contains an access token
AND the response contains a refresh token
WHEN a user calls the token endpoint
THEN the refresh token is extracted from the request body
AND the refresh token is verified
AND the User is fetched from the database by sub
AND a new access token is returned to the user
WHEN the user calls the token endpoint with an expired refresh token
THEN the system returns a HTTP 400 status code
AND the response body contains error details
WHEN the user calls the token endpoint with a refresh token for an inactive user
THEN the system returns a HTTP 400 status code
AND the response body contains error details
Additional context
Add any other context about the story here.
Describe the story
Issue a refresh token in the sign in response. Refresh token expiration is configurable and defaults to 24h.
Allow users to exchange a refresh token for a new access token.
Requirements
Configuration
JWT_REFRESH_EXPIRES_INwhich may be expressed as a time span string such as "24h". Default value is "24h".Auth Service
signInfunction, generate and return a refresh token and return it in the responseAuth Controller
signInhandlerPOST /tokenendpointrefreshToken- A refresh tokensubin the payload, generate a newaccessTokenand return it in the response.Infrastructure
CDK_APP_JWT_REFRESH_EXPIRES_IN.Documentation
Acceptance criteria
GIVEN the user has valid credentials
WHEN a user calls the sign in endpoint
THEN the response contains an access token
AND the response contains a refresh token
WHEN a user calls the token endpoint
THEN the refresh token is extracted from the request body
AND the refresh token is verified
AND the User is fetched from the database by
subAND a new access token is returned to the user
WHEN the user calls the token endpoint with an expired refresh token
THEN the system returns a HTTP 400 status code
AND the response body contains error details
WHEN the user calls the token endpoint with a refresh token for an inactive user
THEN the system returns a HTTP 400 status code
AND the response body contains error details
Additional context
Add any other context about the story here.