I’m trying to create a refresh token after my first token expires so that a user can continue to do CRUD functionalities and continue to be logged in. However, I am getting a 403 Forbidden error after a user tries to make a comment and a 401 Unauthorized error after trying to refresh a token. I also see in the Redux devtools the token is still the same old token and doesn’t show a new one.
I added the code below that i believe can most helpful. It’s a MERN project with Redux and Axios. Im trying to store JWT in cookies. Any help would be appreciated. Thanks!
// Function to create a new comment and display new comment by calling fetchComments
const submitComment = (data) => {
(async () => {
try {
await axiosPrivate.post(`/blog/post/${id}/comment/newComment`, data)
console.log("new comment");
fetchComments()
toast.success("You added a new comment!")
} catch (error) {
if (error.response) setErrorsServer(error.response.data.errors)
toast.error("Unable to create a new comment")
}
})();
reset()
if (errorsServer) setErrorsServer('')
}
Thanks for the reply. I’m not sure if i understood correctly but here is what I got.
I believe that I am assigning the new token on the server side. While using Postman I first sign in and get a token. Then to do a GET request to (/api/auth/refresh) I paste the token I got from signing in into the Headers option in Postman by doing
Bearer TOKEN STRING
Then I click the button to do my GET request and I get a new token.
In the axios interceptor I try to do a get request to (/refresh) after checking if my old token expired and assign the new token to my headers. That way I can continue to do CRUD functionalities (just like in the PostDetails.js I use the interceptor which should have the appropriate header already assigned).
I believe my issue is that when I do the refresh request in the interceptor it’s unable to go through because it doesn’t have a token assigned in its headers which could explain the 401 error. The 403 I think is because the first token already expired thus unable to do the post request to add a new comment.
I tried adding a the old token as a header through doing the below in the interceptor.
const user = store.getState().auth.user
axios.get(url, {
headers:{
Authorization: ${user.access})
or axiosPrivate.get(url)
I was able to get rid of my 401 error by creating another file and making an axios call to do my refresh and added it to my interceptor.
I still get the 403 Forbidden for when I try to create a new comment. I see in the network tab that there is a token in the authorization header but it is the old token from when I logged in. It wasn’t replaces with the new token. Which makes me wonder if the refresh token even happened or the new token isn’t properly replacing the old token in my store.
// SERVER
router.get('/protected', (req, res) => {
// Check if cookie is still valid
if (req.cookies === 'old-token') {
// Generate new cookie, and send it
// to the client in the response (the
// browser knows what to do with this)
res.cookie(jwt.sign('new-token'));
}
return res.status(200);
});
The client should not have to wait for a failed request, before requesting a new cookie (unless you want some explicit input from the user).
The client should not set its own cookies. It should let the response update the necessary cookies.
If you want to go a different way, that is fine, but I am not sure what you are wanting to do.