Refresh Token about ember-simple-auth-token HOT 13 CLOSED

@erichonkanen might be interesting to provide some hooks that would allow for this perhaps without adding a specific implementation e.g. "X seconds from last mouse movement".

from ember-simple-auth-token.

Hey @jpadilla,

I started a fork of this with the intent of trying to start an implementation of some sort of refresh token functionality. I mostly took the inspiration from:

https://github.com/simplabs/ember-simple-auth/blob/master/packages/ember-simple-auth-oauth2/

It may or may not be on the right track but hoping you can maybe review so far and give any guidance/input?

The main file I started updating is the authenticator. My initial tests (with DRF/jwt) seem to work although after 1 refresh I get a 400 non_field_errors with signature expired. (not sure why?)

https://github.com/erichonkanen/ember-cli-simple-auth-token/tree/master/addon/authenticators

Anyways lmk what you think!

from ember-simple-auth-token.

Also, the implementation so far is based on a time interval but like initially stated it would be nice to maybe have it triggered by an event... I'll have to work that in

from ember-simple-auth-token.

Looks like a good start, although I'd rather focus on how to actually build the API for the classes to allow extending and customizing the actual refreshing.

Regarding the 400 error you were getting, it was probably a Signature has expired right? In that case I imagine you set a low JWT_EXPIRATION_DELTA so by the time the request was sent the token was already expired. Refreshing only works if original token hasn't already expired.

from ember-simple-auth-token.

@jpadilla I see so instead of actually including the mechanisms that handle the refresh, are you saying you'd like it to just have the hooks like below? If thats the case maybe it could include a default mechanism? Or it could just have example in the docs... lmk if I can contribute, I need this functionality anyways and learning more ember as I go :)

  authenticate: function(credentials) {
    var _this = this;
    return new Ember.RSVP.Promise(function(resolve, reject) {
      var data = _this.getAuthenticateData(credentials);
      _this.makeRequest(_this.serverTokenEndpoint, data).then(function(response) {
        Ember.run(function() {

          // Refresh Hook
          _this.handleRefresh()

          resolve(_this.getResponseData(response));
        });
      }, function(xhr) {
        Ember.run(function() {
          reject(xhr.responseJSON || xhr.responseText);
        });
      });
    });
  },

from ember-simple-auth-token.

@erichonkanen yea perhaps something like that. I'm trying to keep this as generic as possible. Token refresh like this is very implementation specific, in this case with JWT.

Thinking about it, we can in fact build and include in this package topic specific implementations which extend from TokenAuthenticator, etc.

I'm not really sure what a default implementation for this should be, but what you're doing might work, an automatic time-triggered refresh(x seconds before token expires?), JWTAuthenticator/JWTAuthorizer? This would have to work after login and refresh.

I'd also like to provide a a JWTSession which decodes the data from the token #18.

Thoughts?

from ember-simple-auth-token.

@jpadilla I like the ideas... I'm a little unsure on how to define JWTAuthenticator/Authorizer, do you mean just extending the token.js methods or making the token.js e.g. authenticate() call JWTAuthenticate()?

I definitely like the idea of having a JWTSession included as it seems like something that would be common and useful.

I've played with what I showed you previously and updated it slightly to set the user data on the session in the .find().then()

https://github.com/erichonkanen/cl-frontend/blob/master/app/initializers/session.coffee#L29

Seems to work but still not sure if that's a good approach

from ember-simple-auth-token.

I'm going to hack at this over the weekend

from ember-simple-auth-token.

You'd probably just end up creating addon/authenticators/jwt.js, import from addon/authenticators/token.js and extend accordingly.

Also, I'm not sure if the looking up the user data and setting up in the session is necessary. Why not have a custom serializer on django-rest-framework-jwt that returns your user profile and the token? You'd have all that data from the login response in your session by default.

from ember-simple-auth-token.

@jpadilla in regards to writing a custom serializer w/drf-jwt, would it make any sense to make a change to that repo to allow easily adding extra response data? if not I guess I could just create my own serializer although I like the idea of not having to have much custom auth stuff other than the payload handler etc...

jwt_response_payload = api_settings.JWT_RESPONSE_PAYLOAD

class JSONWebTokenSerializer(Serializer):
    ....

    def validate(self, attrs):
        ...

        payload = {}
        token_payload = jwt_payload_handler(user)

        # Include original issued at time for a brand new token,
        # to allow token refresh
        if api_settings.JWT_ALLOW_REFRESH:
            token_payload['orig_iat'] = timegm(
                datetime.utcnow().utctimetuple()
            )

        # Obtain token.
        payload.update({'token': jwt_encode_handler(token_payload)})

        # Attach any additional data to the response.
        payload.update(jwt_response_payload(user))

        return payload

And

class ObtainJSONWebToken(APIView):
    ...

    def post(self, request):
        serializer = self.serializer_class(data=request.DATA)
        if serializer.is_valid():
            return Response(serializer.object)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

where serializer.object is passed into Response()

lmk if anything warrants moving that discussion to the drf/jwt repo!

from ember-simple-auth-token.

@jpadilla after much playing around to ensure proper time conversion, I got a rough version working very nice in conjunction w/the drf jwt package.. tested and it works as expected for basic refresh capability (consumes the token orig_iat and exp from drf jwt package...

I need to basically do what you suggested and move all the code into another file but just got it working first.. Let me know your thoughts.. this will be very awesome to have, basically plug and play w/simple refresh built in

Time stuff works but maybe could be cleaned up my better js guru?
https://github.com/erichonkanen/ember-cli-simple-auth-token/blob/master/addon/authenticators/token.js#L179

from ember-simple-auth-token.

@erichonkanen LGTM at a first glance. It will be easier to assess once they are properly separated. Real important part of this will be testing. There should be enough tests already written that will help you get it done.

from ember-simple-auth-token.

@erichonkanen released this as v0.6.0. Thanks again for all the work!

from ember-simple-auth-token.