Once expired code will not reach refreshTokens

[dunatron]

on L 33 of index.js you have logic like this
if (!token) {
return next();
}

If the token were to expire in the client, the client will not send it along with the request meaning there is no token and refreshTokens would never be hit?

[dunatron]

If a cookie has expired, the browser does not send that particular cookie to the server with the page request; instead, the expired cookie is deleted.
https://superuser.com/questions/356265/what-do-browsers-do-with-expired-cookies

[benawad]

which branch?

[dunatron]

https://github.com/benawad/graphql-express-template/blob/23_cookies/auth.js

[dunatron]

sorry here
https://github.com/benawad/graphql-express-template/blob/23_cookies/index.js
try setting the cookie age for like 2 minutes
e.g.

const JWT_TOKEN_MAX_AGE = 1000 * 60 * 2; // 2 minutes
module.exports.JWT_TOKEN_MAX_AGE = JWT_TOKEN_MAX_AGE;

[dunatron]

I have tested the logic in my own branch, and once the token expires its not sent. I believe this is different from browser to browser.
https://github.com/dunatron/Re_Houser/blob/apollo-3.0/server/src/index.js

perhaps this needs re-thought?

[benawad]

I set the expiration to the same as the refresh token, so I think it should work in that case.

But I think it's better to rework the logic to check if the refresh token is there even if the token is not.

[dunatron]

I think the issue would still remain the same and once expired it too can potentially no longer be sent. I guess there is not too much you can do under those circumstances, no token, then re-auth. Your logic is actually fine as long as the browser/client does not delete the cookie once expired