Angular + Spring boot Jwt refresh token feature

Question

I created a refresh token feature to secure Jwt authentication in my website. But there was a problem, jwt token was being refreshed as many times as it expired until user decided to log out. I decided to make refresh tokens expire in a period of time to make users log in periodically.

I couldn't come up with anything but throwing a 500 exception in spring when such a token had expired. Later, token interceptor in Angular catches it and logs out. However, this code works, but I suspect my implementation not to be good. Could you give me a piece of advice how to improve my code to make it cleaner?

Here is my code (Spring):

AuthController.java

 @PostMapping("/refresh/token")
    public ResponseEntity<AuthenticationResponse> refreshTokens(@Valid @RequestBody RefreshTokenRequest refreshTokenRequest) throws Exception {
        return ResponseEntity.status(HttpStatus.OK).body(authService.refreshToken(refreshTokenRequest));
    }

AuthService.java

 public AuthenticationResponse refreshToken(RefreshTokenRequest refreshTokenRequest) throws Exception {

        var authenticationResponse = new AuthenticationResponse();

        if(refreshTokenService.validateRefreshToken(refreshTokenRequest.getRefreshToken())){
            String token = jwtUtil.generateToken(refreshTokenRequest.getUserName());

            authenticationResponse.setAuthenticationToken(token);
            authenticationResponse.setRefreshToken(refreshTokenRequest.getRefreshToken());
            authenticationResponse.setUserName(refreshTokenRequest.getUserName());
        } else {
            throw new Exception("Refresh Token has expired");
        }

        return authenticationResponse;
    }

RefreshTokenService.java

 boolean validateRefreshToken(String token){

        System.out.println("refreshtoken name: " + refreshTokenRepository.findByToken(token));

        RefreshToken refreshToken = refreshTokenRepository.findByToken(token)
                .orElseThrow(() -> new ResourceNotFoundException("The Refresh Token hasn't been found"));


        long dateCreated = refreshToken.getCreatedDate().toEpochMilli();

        if(Instant.now().toEpochMilli() - dateCreated > 160000){
            return false;
        }
        return true;
    }

(Angular code)

token-interceptor.ts

export class TokenInterceptor implements HttpInterceptor {

    isTokenRefreshing = false;
    refreshTokenSubject: BehaviorSubject<any> = new BehaviorSubject(null);

    constructor(public authService: AuthService, private router: Router){}

    intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
        if (req.url.indexOf('refresh') !== -1 || req.url.indexOf('login') !== -1) {
            return next.handle(req);
        }

        const jwtToken = this.authService.getJwtToken();

        if(jwtToken){
            return next.handle(this.addToken(req, jwtToken)).pipe(catchError(error => {
                if(error instanceof HttpErrorResponse && error.status === 403) {
                    return this.handleAuthErrors(req, next);
                } else {
                    return throwError(error);
                }
            }));
        }
        return next.handle(req);
    }
   
    private handleAuthErrors(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
        if (!this.isTokenRefreshing){
            this.isTokenRefreshing = true;
            this.refreshTokenSubject.next(null);

            return this.authService.refreshToken().pipe(
                switchMap((refreshTokenResponse: AuthenticationResponse) => {
                    this.isTokenRefreshing = false;
                    this.refreshTokenSubject
                    .next(refreshTokenResponse.authenticationToken);
                    return next.handle(this.addToken(req, refreshTokenResponse.authenticationToken));
                }), catchError(error => {
                    if(error instanceof HttpErrorResponse && error.status === 500) {
                        this.isTokenRefreshing = false;
                        this.authService.logout();
                        this.router.navigateByUrl('/login');
                        return of(null);
                    } else {
                        return throwError(error);
                    }
                })
            ) 
        } else {
            return this.refreshTokenSubject.pipe(
                filter(result => result !== null),
                take(1),
                switchMap((res) => {
                    return next.handle(this.addToken(req, this.authService.getJwtToken()))
                })
            )
        }
    }
  



    addToken(req: HttpRequest<any>, jwtToken: any) {
        return req.clone({
            headers: req.headers.set('Authorization', 'Bearer '+ jwtToken)
        });
    }
}

auth-service.ts

export class AuthService {

  @Output() loggedIn: EventEmitter<boolean> = new EventEmitter();
  @Output() username: EventEmitter<string> = new EventEmitter();

  loginUrl='http://localhost:8080/api/auth/login';
  logoutUrl='http://localhost:8080/api/auth/logout';
  refreshTokenUrl='http://localhost:8080/api/auth/refresh/token';

  refreshTokenRequest = {
    refreshToken: this.getRefreshToken(),
    userName: this.getUserName()
  }

  constructor(private http: HttpClient, private localStorage: LocalStorageService) { }


  login(loginRequest: LoginRequest): Observable<boolean>{
    return this.http.post<AuthenticationResponse>(this.loginUrl, loginRequest).pipe(
      map(
        data => {
          this.localStorage.store('authenticationToken', data.authenticationToken);
          this.localStorage.store('userName', data.userName);
          this.localStorage.store('refreshToken', data.refreshToken);

          this.loggedIn.emit(true);
          this.username.emit(data.userName);
          console.log('Login successful')
          console.log("Token: " + this.localStorage.retrieve('authenticationToken'))
          console.log("Token: " + this.localStorage.retrieve('userName'))
          return true;
        }
      )
    )
  }

  logout(){
    this.http.post(this.logoutUrl, this.refreshTokenRequest, {responseType: 'text'})
    .subscribe(data => {
      console.log(data);
    }, error => {
      throwError(error)
    }
    )
    this.localStorage.clear('refreshToken');
    this.localStorage.clear('userName');
    this.localStorage.clear('authenticationToken');
    this.loggedIn.emit(false);
    console.log("logout completed");
    console.log(this.localStorage.retrieve('refreshToken'))

  }


  refreshToken(){
    return this.http.post<AuthenticationResponse>(this.refreshTokenUrl, this.refreshTokenRequest)
    .pipe(
      tap(
        response => {
          this.localStorage.clear('authenticationToken');

          this.localStorage.store('authenticationToken', response.authenticationToken);
          console.log("Token has been refreshed")
          console.log(this.localStorage.retrieve('authenticationToken'))
        }, error => {
          throwError(error)
          
        }
      )
    )
  }

  getJwtToken(){
    return this.localStorage.retrieve('authenticationToken');
  }

  getUserName(){
   return this.localStorage.retrieve('userName');
  }

  getRefreshToken() {
    return this.localStorage.retrieve('refreshToken');
  }

  isLoggedIn(): boolean {
    return this.getJwtToken() != null;
  }

}

Thank you!

Answer 1

The moment the jwt token expires your refresh method will throw a status 500

To fix that

1. Invalidate the login session when the token is expired, that will force the user to login again
2. Run your refresh method before the token expires (it works like a charm)

Also catching ExpiredJwtException and force a token refresh might, but I have not tried it