Session refresh

POST

/sessions/refresh

Will generate a new session token for the user using refresh token. Handles both xid and JWT refresh token. Using redis for idempotency on handling double rapid request.

refreshToken=xid Flow:

Validate request.
- refreshToken is required.
- Device info are coming from headers, and they’re optional.
Get refreshToken from DB.
Validate refreshToken should exists and not expired.
Rotate refreshToken, updating the refreshToken record with new xid token. This steps invalidate the old refreshToken.
- If not an admin, rotate refreshToken.
- If admin, don’t rotate refreshToken, and return the same refreshToken.(this is to force admin to do daily login)
Update user’s last_active_at.
Generate JWT access token and return to user.

refreshToken=jwt Flow:

Validate request.
- refreshToken is required.
- Device info are coming from headers, and they’re optional.
Decode JWT token.
Get user by id from JWT claims.
Insert to refresh_token table.
Update user’s last_active_at.
Generate JWT access token and return to user.

Authorizations

JWT

Request Body

SessionRefreshRequest

object

refreshToken

string

b9cc107c9b4bfa4a5a42ff89

Responses

200

object

data

object

accessToken

string

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoLXNlcnZpY2UiLCJzdWIiOiI2NWI4YTE2MjYzNTEyNjAwMTI3YTQxYTQiLCJleHAiOjE3MzkyNzYwNzMsIm5iZiI6MTczOTI3NTE3MywiaWF0IjoxNzM5Mjc1MTczLCJqdGkiOiJjdWxqbjlhc3A1anJmam83NWdiZyIsImlkIjoiNjViOGExNjI2MzUxMjYwMDEyN2E0MWE0IiwidXNlclR5cGUiOiJETlQiLCJpc0FkbWluIjp0cnVlLCJkZXZpY2VJZCI6MzE4M30.ZuzROGxJ1pq_veRe93Z8bfS5YTzmAp5_wrzTUmvLzk8

expiresIn

integer

refreshToken

string

culjn9asp5jrfjo75gc0

tokenType

string

Bearer

400

Bad request

object

error

string

some meaningful error message

401

Unauthorized

object

error

string

some meaningful error message

403

Forbidden

object

error

string

some meaningful error message

500

Internal server error

object

error

string

some meaningful error message