Understanding refresh token mechanism

[mateuszwojt]

I'm trying to set up a token refresh mechanism using a mutation. My code is loosely based on jwt-guide, but I'm using URQL instead of Apollo as a client.

Here I submit the refresh token and user fingerprint and get back a JWT token:

const REFRESH_TOKEN_ACTION = `
mutation ($refreshToken: String!, $fingerprintHash: String!) {
  refreshJwtToken(refreshToken: $refreshToken, fingerprintHash: $fingerprintHash) {
    jwt
  }
}
`;

but the exchange where this refresh mutation is triggered happens obviously when the current JWT expires. My problem is that in my request I'm sending the Authorization header, and Hasura doesn't let me run this operation because the token in the header is expired. Is there something I'm missing in the configuration of Hasura action? Should I get rid of the Authorization header when refreshing the token? What's the correct approach?

[ivorpad]

You need to refresh with x-hasura-admin-secret, there's no point in refreshing an access token client side if the said token is expired. If you're using Next.js you just need to create an api route /api/refresh-token and send the refreshJwtToken mutation via this route and send the hasura admin secret header in the request.

Apollo has Links which you can use to intercept the request before it reaches Hasura, this is where I exchange tokens if the access token is expired. I think there's a way to do it with URQL urql-graphql/urql#2062