Implement JWT Refresh Token #35
Description
[Feature]: Implement JWT Refresh Token
Description
Currently, our authentication system only issues short-lived access tokens.
When a user’s access token expires, they must log in again — which disrupts the user experience.
We need to implement JWT refresh tokens to allow secure token renewal without forcing re-authentication.
Motivation
- Improve user experience by maintaining sessions smoothly.
- Strengthen security with refresh token rotation and invalidation.
- Align our backend with best practices for modern authentication (OAuth2-like flow).
Proposed Solution
1. Backend (Spring Boot)
- Add a new endpoint:
POST /api/auth/refresh - Store refresh tokens in the database (or Redis) with expiry and user reference.
- Implement logic to:
- Validate refresh token
- Issue a new access token
- Rotate refresh tokens (invalidate the old one)
2. Frontend (Flutter)
- Intercept
401 Unauthorizedresponses and automatically call the refresh endpoint. - Replace expired access token in local storage (e.g., SharedPreferences or Secure Storage).
- Retry the failed request after refreshing the token.
Alternatives Considered
- Extending the access token lifetime — rejected for security reasons.
- Using only local storage persistence — not secure enough for production.
Expected Outcome
Implementing JWT refresh tokens will:
- Allow users to stay logged in securely without repeated logins.
- Improve session management and security.
- Follow industry best practices for token-based authentication.