Added API endpoint for token refresh by jppellerin · Pull Request #172 · auth0/node-jsonwebtoken (original) (raw)

@jfromaniello Thanks for the feedback. The goal (for what we are using it for) is to extract all fields of a token and return it with a new exp. The only way (as far as I know) is to create a new one.

I didn't include verification since the token needs to be decoded for this to work. Therefore, it assumes the user has manipulated this - thus it would be safe to assume that it has been validated.

I agree that if one uses this API the wrong way and refreshes a non-valid JWT, then a valid one will be returned, which has cause for concern.

The value this endpoint has is to save the logic of copying over the fields of the existing token and re-signing it. I can agree with you that it is not something extremely difficult to do, but is something that is useful and that many people are using (or so it seems by the interest of this pull request). I would assume that this is going to be more and more common as people are moving towards serverless architectures/completely stateless.

All that being said: I think that verification would be a good idea. I also think it is a useful endpoint (I may be biased since I'm using this).