How to create session in nodejs + react

Question

I am working on react front end app and middleware is written in nodejs. I am using oauth access token which expires in 3600 ms so i need to create session for 7 days so user wont be logout before 7 days.

What is the way to create session ? Do I need to do in react app or node js app ?

PS We do not wat to implement refresh token approach. Any way to setup session and valid for 7 days ?

Answer 1

You can use an access token + refresh token to achieve this. Use shorter access tokens and keep 7d expiry for the refresh token.

Upon the expiry of the access token, you can refresh it by passing the refresh token. This will work till your refresh token expiry is 7 days. Then the user has to log in again.

Something like the following.

export const generateAccessToken = (user: UserResponse): string => {
  return jwt.sign(
    {
      userId: user.user_id,
      clientId: user.client_id,
      createdAt: new Date().getTime(),
      storageKey: user.storageKey ?? "",
      pipelineKey: user.pipelineKey ?? "",
    },
    process.env.ACCESS_TOKEN_SECRET,
    { expiresIn: `3600s` }
  );
};
export const generateRefreshToken = async (
  user: UserResponse
): Promise<string> => {
  const refreshTOken = jwt.sign(
    {
      userId: user.user_id,
    },
    process.env.REFRESH_TOKEN_SECRET,
    { expiresIn: `7d` }
  );
  const status = await storeRefreshToken(user.user_id, refreshTOken);
  if (status) {
    return refreshTOken;
  } else {
    throw new Error("Error while storing refresh token");
  }
};

refresh-token endpoint would be something like this

authRouter.post("/refresh-token", async (request: any, response: any) => {
  await transformAndValidate(RefreshTokenRequestDto, request.body)
    .then(async (refreshTokenRequest: any) => {
      if (authenticateRefreshToken(refreshTokenRequest.refreshToken)) {
        const dbRefreshToken = await getRefreshTokenByToken(
          refreshTokenRequest.refreshToken
        );
        if (
          dbRefreshToken &&
          dbRefreshToken.user_id &&
          dbRefreshToken.active &&
          dbRefreshToken.expiry_at >= new Date()
        ) {
          const user = await getUserById(dbRefreshToken.user_id);
          if (user) {
            const jwtToken = generateAccessToken(user);
            response.status(200).send(
              generateSuccessResponse({
                accessToken: jwtToken,
                refreshToken: dbRefreshToken.token,
                fullName: user.username,
              })
            );
          } else {
            return response
              .status(400)
              .json(
                generateFailedResponse(
                  "Invalid User",
                  AppCodes.REFRESHTOKENFAIL
                )
              );
          }
        } else {
          return response
            .status(400)
            .json(
              generateFailedResponse(
                "Refresh Token Failed",
                AppCodes.REFRESHTOKENFAIL
              )
            );
        }
      } else {
        return response
          .status(400)
          .json(
            generateFailedResponse(
              "Refresh Token JWT Validation Failed",
              AppCodes.REFRESHTOKENFAIL
            )
          );
      }
    })
    .catch((err) => {
      response
        .status(400)
        .json(
          generateFailedResponse(
            formatValidationErrorMsg(err),
            AppCodes.VALIDATIONFAILED
          )
        );
    });
});