Strapi5 Refresh Token plugin

Strapi Plugin that extends the local authorization functionality to provide Refresh tokens.

⚠️ Compatibility with Strapi versions

• This plugin relies on Strapi5 new documentId. It will not work with earlier versions!
• Works with local provider only.

⚙️ Installation

To install the Strapi Refresh Token Plugin, simply run one of the following command:

1npm install @redon2inc/strapi-plugin-refresh-token

1yarn add @redon2inc/strapi-plugin-refresh-token

Config

You will need to set the following environment variables:

1 PRODUCTION_URL=value # used for cookie security if enabled
2 REFRESH_JWT_SECRET=string 

This component relies on extending the user-permissions types. Extend it by adding the following to ./src/extensions/user-permissions/content-types/user/schema.json

1// .. rest of schema
2attributes:{
3  // .. rest of attributes
4  "refresh_tokens": {
5      "type": "relation",
6      "relation": "oneToMany",
7      "target": "plugin::refresh-token.token",
8      "mappedBy": "user",
9      "private": true,
10      "configurable": false
11    }
12}
13// rest of code

Modify your plugins file config/plugin.ts to have the following:

1  // ..other plugins
2  'users-permissions': {
3        config: {
4          jwt: {
5            /* the following  parameter will be used to generate:
6             - regular tokens with username and password
7             - refreshed tokens when using the refreshToken API
8            */
9            expiresIn: '2h', // This value should be lower than the refreshTokenExpiresIn below.
10          },
11        },
12    },
13  'refresh-token': {
14    config: {
15      refreshTokenExpiresIn: '30d', // this value should be higher than the jwt.expiresIn
16      requestRefreshOnAll: false, // automatically send a refresh token in all login requests.
17      refreshTokenSecret: env('REFRESH_JWT_SECRET') || 'SomethingSecret',
18      cookieResponse: false, // if set to true, the refresh token will be sent in a cookie
19      refreshTokenRotation: false, // forces a new Refresh token, deleting the previously used one from the db.
20    },
21  }

API Usage:

when calling POST:/api/auth/local include the requestRefresh parameter:

1{
2  "identifier":"username",
3  "password":"VerySecurePassword",
4  "requestRefresh": true
5}

The API will respond with the following:

1{
2  "jwt":"token...",
3  "user": { /* user object */ },
4  "refreshToken": "RefreshToken..."
5}

to request a new access token use the following: POST:/api/auth/local/refresh with the following payload:

1{
2  "refreshToken": "RefreshToken...",
3}

if the Refresh token is valid, the API will return

1{
2  "jwt": "NewAccessToken..",
3  "refreshToken": "NewRefreshToken..", // only if the config.refreshTokenRotation is set to TRUE
4}

TODO:

• Expose API so user can clear all sessions on their own.