Auto refresh token clarification

[derHodrig]

Hello,
we have implemented token refresh.
The tokens (access and refresh token) are set correctly and the max-age is set.

I think I understood the Module wrong. I thought the module will automatically send refresh requests just before the access token gets invalid.

I signed in and waited for the expiration of the access token. ( no auto-refresh/ no backend request ), I waited for the expiration of the refresh token, also no auto-refresh / no backend request.

If the user is signed in and does not close the web application, assuming he idles on an auth page, I thought his session gets refreshed as long as he doesn't hit sign out.

Could you confirm auto-refresh works, or is my knowledge about the token refresh wrong?

EDIT:
Some configs and version

Config

auth: {
    redirect: {
      login: '/de/auth/signin',
      logout: '/de/auth/signin',
      callback: '/',
      home: '/de/dashboard',
    },
    cookie: {
      options: {
        secure: true,
      },
    },
    strategies: {
      local: {
        scheme: 'refresh',
        token: {
          property: 'accessToken.token',
          maxAge: 800,
        },
        refreshToken: {
          property: 'refreshToken.token',
          maxAge: 800,
          tokenRequired: true,
        },
        user: {
          autoFetch: false,
        },
        endpoints: {
          ....
          refresh: { url: '/api/QSDAuth/refreshToken-tokens', method: 'post' },
          ...
        },
        autoLogout: false,
      },
    },
  },

Version

"nuxt": "^2.15.3",
"@nuxtjs/auth-next": "5.0.0-1621716493.b9b36c6",

[derHodrig]

Connecting #1653

[sneakylenny]

If the option auth.cookie.secure is set to true an you are testing locally (or on any other http domain), your browser may be preventing the app from saving the cookies and you will see these messages in the console:

Try setting this to false to see if it helps and set it back to true when using SSL

[derHodrig]

Hello, I saw your two answers. I will check this in the next days since I moved to an other flat, doing my driving licence and we are releasing a new product this week.

[derHodrig]

First, to prevent F5 issue, I disabled the user endpoint (just user: false) but the config of the user

user: {
  autoFetch: false
}

does not work, it fetches after F5 if user endpoint is not disabled. Maybe Bug Maybe could be better written in the Docs.

But for the point, I just idle in my dashboard for the time the JWT is available, the module does not refresh the token. Is there any Option for the refresh time? or is this even possible with this module?

[sneakylenny]

autoFetch documentation says:

This option can be used to disable user fetch after login. It is useful when your login response already have the user.

I've tested it, and it does what it's supposed to do: Not fetching the user after login. However if I refresh the page I get redirected to home because it fetches the user from the endpoint by default using the obtained JWT from the login. It does this because endpoint.user is not false.
So to disable fetch user on refresh the endpoint should be explicitly set to false.

If you would like to fetch and set the user manually later you could just use Axios and set the user manually using setUser(user)

As for the JWT:

Usually the expiration date-time (exp) of the token is encoded within the JWT which is decoded and used by module. If it wouldn't be present it would use the maxAge which defaults to 1800 if not set.

If it is expired it does not magically refresh the token.

Here is how it works is:

the module checks on every request you make using $axios if the jwt has not been expired yet. If it is, that will be the moment the module suspends the request and uses the refresh token and to obtain a new JWT from your configured refresh endpoint.
If this operation succeeds it will fire off the initial request and continue.
If this operation fails it will log you out assuming resetOnError is set to true

If you want it to be live you should implement it manually.

[derHodrig]

Okay thanks for the clarification!

[derHodrig]

this.$auth.strategy.token.status()
is an observable which observes the status of the token. This validates the exp date. ITS NOT WORKING. Exp date is set correctly, this thing does not change.

[derHodrig]

Obsolet