Hey folks. I am trying to move away from basic auth on my toy project and wanted to do a sessions + JWT implementation. I plan on hand rolling this to understand the entire auth process (which has always scared me in the past)
Can you critique my auth strategy and let me know if it makes sense?
Goals - faster query as sessions db doesnt needs to be queried for more than once every n days - jwt is only usable for n hours, so if its stolen it wouldn't cause as much issues - sessions are long running and if the user returns back after some time, they don't need to relogin - if the user returns back after a very long period of time, they will need to relogin - key idea; using a session id as a refresh token - Register - user sends email & password using form - if the email is already used, server sends back error - (email verification TBA later) - server stores email & encrypted password in db - server starts the login process - Login - user sends email & password using form - if password doesn't matches, send back error - server creates a sessionid for the that email with n months expiry time and saves in db - server creates an encrypted jwt containing some of the user details and the sessionid, with n days expiry time - server creates a cookie containing the jwt and x hour expiry time - Auth check for guarded apis (via middleware) - user makes any api call which needs auth - if no cookie - redirect users to /login - server extracts the jwt from the cookie, and the user details and sessionid from the jwt - if jwt is not authentic - return error - if auth cookie has NOT expired - continue with requested api function - if auth cookie has expired AND jwt has NOT expired - generate new jwt with new expiry. set cookie with updated expiry using new jwt - continue with requested api function - if auth cookie has expired AND jwt has expired AND session id doesn't exists - delete cookie and redirect to /login - if auth cookie has expired AND jwt has expired AND sessionid has expired - delete sessionid - delete cookie and redirect to /login - if auth cookie has expired AND jwt has expired AND sessionid has NOT expired - generate new sessionid. replace old sessionid in db - generate new jwt. set cookie with new jwt - continue with requested api function - user details and session id are extracted from jwt - user details are used in authenticated api - Logout - get the session id from the jwt - delete the session id from db - delete the cookie - redirect to /login