Add refresh token functionality
On 200 response from /auth/token
, the data
attribute should also contain a refresh token.
The refresh token will be stored in the user table:
refresh_token: {type: varchar(255), default: NULL, comment: refresh token}
refresh_token_created: {type: timestamp, default: NULL, comment: datetime refresh_token created}
Update GenerateToken
so that it stores a hashed key in user.refresh_token
and current timestamp in user.refresh_token_created
Add config item for api.refresh_token_ttl
: +1 week
New Security processor: RefreshToken
- Input: refresh_token
- find the user matching the
refresh_token
and timestamp withinuser.refresh_token_created + api.refresh_token_ttl
- if no valid refresh token return
403:Forbidden
- Generate a new
token
,refresh_token
and updateuser.refresh_token
anduser.refresh_token_created
- return DataContainer array with token,
Create a new resource:
- Path: `auth/token-refresh
- Method: POST
- GET vars:
- POST vars:
- refresh_token=<refresh_token>
- Header: Bearer
- Security: Must have a valid bearer token