Extend JWT expiry?

[mike-5345]

Hello,

I am making a web app with loco as the backend. I am using the built in JWT for authentication, but I have run into a bit of an issue. How can I extend a session? For example, if a user is logged in on the web portal and doing some work, if the JWT expires it will just kick them out of their session. How am I supposed to prevent this from happening?

There was another post about this, but the response was just to set the expiry to a longer time frame. I don't see how this solves the problem or is secure. If I set the expiry to 8 hours, what happens when they come back 7 hours and 55 minutes later, start doing some work, and then gets booted out? Why would I want a valid token floating around for 8 hours? It just seems less secure than a traditional session ID that expires in 15-30 minutes, and gets extended every time a valid request is made.

Thanks.

[kaplanelad]

In the config YAML, you have expiration. See example here: https://github.com/loco-rs/loco/blob/master/loco-new/base_template/config/development.yaml.t#L134C5-L134C15

[hansalves]

In src/controllers/auth.rs you can add a function like

#[debug_handler]
async fn refresh(auth: auth::JWT, State(ctx): State<AppContext>) -> Result<Response> {
    let user = users::Model::find_by_pid(&ctx.db, &auth.claims.pid).await?;

    let jwt_secret = ctx.config.get_jwt_config()?;

    let token = user
        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
        .or_else(|_| unauthorized("unauthorized!"))?;

    format::json(LoginResponse::Login(LoginData::new(&user, &token)))
}

Then add it in the routes function, and call this function periodically from your front-end to get a new JWT. This way you can set the expiration time a lot lower, and as long as the user stays active this function will be called once every while to extend the duration of the session.