refreshAccessToken method
Future<AuthSuccess>
refreshAccessToken(
- Session session, {
- required String refreshToken,
- Transaction? transaction,
Returns a access token while also rotating the refresh token.
Invalidates the previous refresh token as security best practice.
Automatically registers authentication revocation via
session.messages.authenticationRevoked when refresh tokens are expired or
have invalid secrets. If this behavior is not desired, use
JwtAdmin.rotateRefreshToken instead.
Implementation
Future<AuthSuccess> refreshAccessToken(
final Session session, {
required final String refreshToken,
final Transaction? transaction,
}) async {
return _withReplacedServerJwtException(() async {
try {
final refreshesTokenPair = await admin.rotateRefreshToken(
session,
refreshToken: refreshToken,
transaction: transaction,
);
final jwtData = jwtUtil.verifyJwt(refreshesTokenPair.accessToken);
return AuthSuccess(
authStrategy: AuthStrategy.jwt.name,
token: refreshesTokenPair.accessToken,
tokenExpiresAt: jwtData.tokenExpiresAt,
refreshToken: refreshesTokenPair.refreshToken,
authUserId: jwtData.authUserId,
scopeNames: jwtData.scopes.names,
);
} on RefreshTokenExpiredServerException catch (e) {
await session.messages.authenticationRevoked(
e.authUserId.uuid,
RevokedAuthenticationAuthId(authId: e.refreshTokenId.toString()),
);
rethrow;
} on RefreshTokenInvalidSecretServerException catch (e) {
await session.messages.authenticationRevoked(
e.authUserId.uuid,
RevokedAuthenticationAuthId(authId: e.refreshTokenId.toString()),
);
rethrow;
}
});
}