I am doing the following in my React/Node App:
- Using the
User Pools
for a Cognito App that I have created - Calling the /login endpoint with
response_type=token
in my React App - Once I receive the JWT token, I pass it to my node/express server in a header (my server is using ssl)
- On the Node server, using cognito-express package to call
cognitoExpress.validate(accessTokenFromClient, callback)
to validate the token - If the call is successful, saving the user details (email etc) and the jwt in
localStorage
in the React App
And then, for every call to my server, I am repeating steps 3 and 4 above (validating jwt) to ensure that the user is Authenticated.
My concerns with the above approach is:
I am unsure if the cognito-express is actually calling Cognito, or is it just decoding the jwt and making a decision on its validity locally
I tried leaving the session open overnight, and I expected that the call to
cognitoExpress.validate(accessTokenFromClient, callback)
would fail (because the jwt expires in a hour), but it didnt. Does this mean that an expired jwt token is considered as a valid claimIf the user was Authenticated and his JWT has expired, how do I refresh the JWT without asking him to login again?