I am developing a mobile application back-end service using Laravel 5.3. I am following REST API. Application having payment gateway integration and it needs more security.
I followed JWT auth by using the tymon/jwt-auth library for laravel.
I have few concerns: my token getting expired after 1 hour, after that server returning token expired error; and how can the app developer handle this situation? Asking user to log in again and again, is not possible.
How can app developer handle it?
What is the best and more secure approach?
1 Answer 1
If the token expires during the navigation, jwt-auth library allows you to refresh expired tokens, you should check out the documentation on GitHub.
If necessary, you can still access to user details even if a token has expired, and it gives you the benefits of deciding whether asking the user login again, logging in the user automatically again, or send the an email that gives an option to login directly from it.
If you are afraid that tokens get hijacked, you can blacklist tokens as soon as an user completes the payment, or you can even blacklist expired tokens just to make sure that they are never used again.