I built a social network app for a client using bubble frontend and xano as backend.
Some product requirements:
Users may log into multiple profile sessions at the same time.
Users should not have to log in repeatedly.
Using long lived authTokens can help with the repeated log in issue but are worried about not being able to invalidate tokens.
So...
I set up session tables and use secure cookies to save short lived authToken in addition to creating long lived refresh tokens.
When a user signs in:
- add record in session with user and session details
- create authToken with short expiration with user_id and session_id in the claims
- create refreshToken with long expiration with user_id and session_id in the claims
- add record in refreshToken with token and session_id
- set the refresh token into a secure, http only cookie.
- return authToken
When authToken is used and is expired we generate and return a new authToken by using the refreshToken in cookie at the refresh endpoint.
I can currently invalidate sessions by marking them invalid or deleting them in dashboard forcing them to re-login upon an auth error.
I'd love some pointers or suggestions to improve or simplify this flow.
Thank you