[HttpPost("refresh-token")]
public async Task<ActionResult<string>> RefreshToken()
{
var refreshToken = Request.Cookies["refreshToken"];
if (!user.RefreshToken.Equals(refreshToken))
{
return Unauthorized("Invalid Refresh Token.");
}
else if(user.TokenExpires < DateTime.Now)
{
return Unauthorized("Token expired.");
}
string token = CreateToken(user);
var newRefreshToken = GenerateRefreshToken();
SetRefreshToken(newRefreshToken);
return Ok(token);
}
private RefreshToken GenerateRefreshToken()
{
var refreshToken = new RefreshToken
{
Token = Convert.ToBase64String(RandomNumberGenerator.GetBytes(64)),
Expires = DateTime.Now.AddDays(7),
Created = DateTime.Now
};
return refreshToken;
}
private void SetRefreshToken(RefreshToken newRefreshToken)
{
var cookieOptions = new CookieOptions
{
HttpOnly = true,
Expires = newRefreshToken.Expires
};
Response.Cookies.Append("refreshToken", newRefreshToken.Token, cookieOptions);
user.RefreshToken = newRefreshToken.Token;
user.TokenCreated = newRefreshToken.Created;
user.TokenExpires = newRefreshToken.Expires;
}
References
https://www.youtube.com/watch?v=HGIdAn2h8BA
https://www.youtube.com/watch?v=LowJMwa7LCU
https://passage.id/post/how-refresh-tokens-work-a-complete-guide-for-beginners?utm_source=pocket_reader
https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/?utm_source=pocket_reader