Issuing refresh token in laravel sanctum expires without checking the token lifetime #50480
Unanswered
charlie87041
asked this question in
Q&A
Replies: 3 comments
-
|
it's my problem too. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
@charlie87041 In /*
|--------------------------------------------------------------------------
| Expiration Minutes
|--------------------------------------------------------------------------
|
| This value controls the number of minutes until an issued token will be
| considered expired. If this value is null, personal access tokens do
| not expire. This won't tweak the lifetime of first-party sessions.
|
| NOTE: this key is used for all types of tokens so it's better to use custom ones.
*/
'expiration' => null, // never
/*
|--------------------------------------------------------------------------
| Access Token Expiration in Minutes
|--------------------------------------------------------------------------
*/
'access_token_expiration' => 60,
/*
|--------------------------------------------------------------------------
| Refresh Token Expiration in Minutes
|--------------------------------------------------------------------------
*/
'refresh_token_expiration' => 710080,When generating tokens: // ** Access token
$token = $user->createToken(
"access_token",
['platform:' . $platform->id],
Carbon::now()->addMinutes(config('sanctum.access_token_expiration'))
);
$data['token'] = $token->plainTextToken;
$data['token_expires_at'] = $token->accessToken["expires_at"];
// ** Refresh token
$tokenExpire = $user->createToken('refresh_token', [
TokenAbilityConstant::ISSUE_ACCESS_TOKEN,
'platform:' . $platform->id
], Carbon::now()->addMinutes(config('sanctum.refresh_token_expiration')));
$data['refresh_token'] = $tokenExpire->plainTextToken;
$data['refresh_token_expires_at'] = $tokenExpire->accessToken["expires_at"];For the refresh token route: Route::middleware(['auth:sanctum', 'ability:' . TokenAbilityConstant::ISSUE_ACCESS_TOKEN])->group(function () {
Route::post('/onely-portal/auth/refresh-token', RefreshTokenController::class);
});Generate fresh API token and send it in the response: // ** Access token
$token = $user->createToken(
"access_token",
['platform:' . $platformId],
Carbon::now()->addMinutes(config('sanctum.access_token_expiration'))
);
$data['token'] = $token->plainTextToken;
$data['token_expires_at'] = $token->accessToken["expires_at"];Just dont modify "expiration" and use your own 'expiration' => null, // never |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Everything you did works, just don't modify the 'expiration' property in the config because it overrides whatever expiration date you set when creating the token: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Currently issuing a refresh token for an API, with abilities and custom expiration time of one week and yet it throws 401 Unauthorized.
On config/sanctum.php
'expiration' => 60 * 8, // 8 hours 'rt_expiration' => 7 * 24 * 60, // 7 DaysRefresh token generation code
Flow is: when client detects authorization token is about to expire it sends a request to /refresh-token, using the refresh token previously issued as the Bearer Token. Problem is laravel sanctum does not check the token expiration date, but its createad_at. So, no matter how big its lifetime is, it will always be limited byt its creation date and
config('sanctum.expiration').Here is the code where check is performed, in sanctum Guard class
Why is that ? Why dont check the expiration date instead ?
As a workaround, I am currently setting the same value for refresh token's created_at and expires_at
Beta Was this translation helpful? Give feedback.
All reactions