4

I'm doing my authentication system with Laravel & JWT, but I have some questions.

I use the tymon jwt package

  1. I have a token generated at login, for 24 hours, and if the remember-me box is checked, it is valid for 2 years. Except that how should I proceed to renew the token during these 2 years, I guess I don't have to keep the same one, for security reasons?

  2. Do I have to store something in a database ? like a remember-me token for example, or a refresh-token ?

I'm a bit lost with all this, and I'd like to understand how to proceed. I've already searched quite a bit on the internet, but I can't find what I want, or it's incomplete.

public function login()
    {
        $credentials = request(['email', 'password']);
        $ttl = env('JWT_TTL');

        if (request(['remember_me']) == true) {
            $ttl = env('JWT_REMEMBER_TTL');
        }

        if (!$token = auth()->attempt($credentials)) {
            return response()->json(['error' => 'Wrong credentials'], 401);
        }

        return $this->respondWithToken($token, $ttl);
    }

protected function respondWithToken($token, $ttl)
    {
        return response()->json([
            'access_token' => $token,
            'token_type' => 'bearer',
            'expires_in' => $ttl
        ]);
    }

JWT_TTL=1440
JWT_REMEMBER_TTL=1051200

Thanks in advance,

Improve this question

2 Answers 2

Reset to default
8

You don't have to store anything in a database.

Create two JWTs, one as the access token (login) and one for remember me. Set the access token to expire for 24 hours as usual, and the remember me token to expire for 2 years.

On your protected route, check if the access token is expired, and if it is, check for the remember me token. If the remember me token is present, issue a new access token.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

That's what I was going to do, but for the moment the token is identical except for the TTL, so I would have to differentiate between a normal token and a token with a remember me, to be able to check if I refresh it or not. But thanks anyway, now I know that I don't need to store anything in db.
Hi @Retorks, I want to handle same functionality, could you please guide me how you handle to issue a new access token and where this code should be placed?
@Asif you can use passport to simplify this
@Retorks I am using JWT, Is this possible to handle it in JWT?
@Retorks Can you share me how you achieved this i don't use Passport i only use JWT? I am in same situation where i need to use remember_me function.
0

You can handle it in this way as well and its working fine with JWT package using setTTL function and define two different time in .env file.

$ttl = ($request->remember_me === true) ? env('JWT_REMEMBER_TTL') : env('JWT_TTL'); if (! $token = auth()->setTTL($ttl)->attempt($credentials)) {}

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.