Versions Compared

Version Old Version 4 New Version Current
Changes made by

olli bowers (Unlicensed)

olli bowers (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

general session logic

  • /login

    • creates a session (the only way to)

    • generate a new token pair

      • this consists of a refresh token and a session token

      • these relate to the session

    • refresh tokens

      • get stored in secure cookies and are only given to the /refresh (and logout) route

        • secure cookies are protected from javascript

      • these last for 30+ days, and are used to get a new pair (FOR REFRESHING THE TOKEN PAIR)

      • are the key into the refresh_token storage in mongo

    • session tokens (or access tokens)

      • get stored in redux memory (NOT PERSISTED)

      • last for 15 minutes, used to authorize on any resource route (FOR GETTING USER DATA)

      • are the key into a session_token storage in redis

  • /refresh

    • generates a new token pair

    • is called when your session token dies

    • is also called when you first enter page

    • is what the refresh token is used for

  • /<resource route (user data routes)>

    • takes session token in as Authorization: Bearer <token> headers

    • looks at this token in redis, pulls out its sid and uid

  • /logout

    • is the death of a session

    • will take a session token (and by factor of credentials, the refresh token too)

    • kills all tokens and the living session

...