Skip to content

Implement JWT Refresh Token #35

Description

@OkechukwuOdo

[Feature]: Implement JWT Refresh Token

Description

Currently, our authentication system only issues short-lived access tokens.
When a user’s access token expires, they must log in again — which disrupts the user experience.
We need to implement JWT refresh tokens to allow secure token renewal without forcing re-authentication.


Motivation

  • Improve user experience by maintaining sessions smoothly.
  • Strengthen security with refresh token rotation and invalidation.
  • Align our backend with best practices for modern authentication (OAuth2-like flow).

Proposed Solution

1. Backend (Spring Boot)

  • Add a new endpoint: POST /api/auth/refresh
  • Store refresh tokens in the database (or Redis) with expiry and user reference.
  • Implement logic to:
    • Validate refresh token
    • Issue a new access token
    • Rotate refresh tokens (invalidate the old one)

2. Frontend (Flutter)

  • Intercept 401 Unauthorized responses and automatically call the refresh endpoint.
  • Replace expired access token in local storage (e.g., SharedPreferences or Secure Storage).
  • Retry the failed request after refreshing the token.

Alternatives Considered

  • Extending the access token lifetime — rejected for security reasons.
  • Using only local storage persistence — not secure enough for production.

Expected Outcome

Implementing JWT refresh tokens will:

  • Allow users to stay logged in securely without repeated logins.
  • Improve session management and security.
  • Follow industry best practices for token-based authentication.

Could you assign this issue to me @Prathamesh-007

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions