DEV Community

loading...

Discussion on: 12 - Store Refresh Tokens in Redis

jacobsngoodwin profile image
Jacob Goodwin Author

No worries! I think it's awesome you're doing this in a second language.

I'm glad you were able to sort your issue out from the client side!

There is at least one potential issue I am aware of with my application.

If you sign in repeatedly (without signing out), the redis store will keep creating refresh tokens. So it is possible you would add tons of entries in Redis!

From the "good guy" developer's perspective, you will define your client-side code to avoid this. But it would be good to have a safety mechanism or some logic to prevent this on the server.

Maybe sending a cookie with the client's ID (an ID that is unique per device/browser) in the authentication responses (sign in/sign up), and then checking this on incoming requests would be helpful, but I haven't thought this through yet.

I would be interested in seeing how services like Auth0 handle this in their API.

Best of luck with your app!