taskcafe/api
2020-04-11 14:24:45 -05:00
..
cmd initial commit 2020-04-09 21:40:22 -05:00
graph feature: ability to delete task groups 2020-04-11 14:24:45 -05:00
migrations initial commit 2020-04-09 21:40:22 -05:00
pg feature: ability to delete task groups 2020-04-11 14:24:45 -05:00
query feature: ability to delete task groups 2020-04-11 14:24:45 -05:00
router cleanup: merge types & add graphql-codegen-cli 2020-04-09 22:27:57 -05:00
scripts initial commit 2020-04-09 21:40:22 -05:00
go.mod feature(api): update gqlgen & add complexity limit 2020-04-10 21:22:22 -05:00
go.sum feature(api): update gqlgen & add complexity limit 2020-04-10 21:22:22 -05:00
gqlgen.yml initial commit 2020-04-09 21:40:22 -05:00
Pipfile initial commit 2020-04-09 21:40:22 -05:00
README.md initial commit 2020-04-09 21:40:22 -05:00
sqlc.yaml initial commit 2020-04-09 21:40:22 -05:00

Authentication

Uses a refresh_token and access_token system.

The refresh_token is an opaque UUID based token. The access_token is a JWT token containing several claims such as sub & roles

The refresh_token is stored in a database and is long lived (24 hours). It is sent to the client as a cookie set to be HttpOnly.

The access_token is not stored in the database & is only stored in memory on the client side. It is short lived (5 minutes).

The access_token is used to authenticate all endpoints except endpoints under /auth

The access_token is refreshed using the refresh_token through the /auth/refresh_token endpoint. This endpoint takes in the refresh_token set VIA a cookie header & returns a new refresh_token & access_token if the refresh_token is still valid. The old refresh_token is invalidated.