I think there are a lot of different ways to handle it. The method I've used here sounds pretty close to what you are saying. I do hold the lookup of refresh tokens on the server, but that could easily be swapped out to keep it stateless. There are some security concerns around refresh tokens though, so you'll want to make sure that your approach is secure enough for your application before you go for it.

@@jherr Ok noted

I don't think that's a problem.

Yes!

I got in a refresh loop but realized that the map refreshtokens was lost on restart so I added a response that if refreshTokens didn't contain user then return null. This was a really rewarding project 🤙

Oh, subscriptions are definitely not second class to me. I'm a huge fan of all things pub/sub, GraphQL subscriptions, Firebase, etc. all of that. I did end up turning a todo app into a chat app in a recent video, FWIW. Maybe that's what you were alluding to?

@@jherr what? yes! I tend to watch all your graphql and ts related videos. guess I missed one or two. can't wait to watch it. thanks!

It's unlikely that the code as-is will block the four requests that follow after the first one fails. My hunch is that you'll get five 401s, that this will cause five subsequent refreshes, five token updates and five more requests at the very least. There might be some mitigation by the JWT the second time around being the same as the first after subsequent refreshes. But that would probably just help with the React update cycle. FWIW, I think the primary issue here isn't with this patter per-se but more in making five simultaneous calls in the first place. You should put a GraphQL aggregation server in the middle there and then make one request with all five queries.

@@jherr Yep I agree. Btw great video and explanation, not the easiest topic I'm sure 😅

@@ATTI0822 Yeah, the code on this one was about two days to write, which is unusually bad. Lots of stuff around CORS and response codes. Once I got it running it was pretty quick, but ... sheesh... sometimes. Fortunately, it's the kind of thing you get right once and after that you're usually (fingers crossed) pretty set.

Websockets are just upgraded HTTP connections, so the authentication pattern should work the same pre-upgrade to websocket.

With GraphQL you check permissions within the resolver to make sure your the current user has access to that particular resolver, or to reduce the data returned from the resolver to just the data for that user.

​@@jherr i create a is-logged-in mutation, that verify the refresh token cookie and return the user. it´s a valuable way or there is a better approach? My goal is make the frontend know that the user is logged in without store the data for example in local store.

@@denilsoncosta9837 I don't think there is any extra data leak from just returning true or false if you are logged in or not and updating the refresh token.

@@jherr thanks!

We really enjoy it here. I used to work in the west side (at Nike) and I find that Happy Valley feels more "lived in" and less "cookie cutter" than the west side. IMHO. Six bedrooms is a lot, but there are definitely houses around here that are that big.

@@jherr It's not ideal, but im going to be house poor to take care of a couple family members. From the pictures of happy valley I have seen, I agree. I'm just worried about amenities and such. I like good food, which is why I love in portland to begin with!

@@boot-strapper The amenities are improving. We have already some good restaurants and that's definitely been improving since we moved here. If we want to go out for a good meal all of SE Portland and all its restaurants are just over the hill. There are great spots in Sellwood, Division, Hawthorne, as well as Oregon City if you go south a little. If you want to chat more interactively about it you can hit me up on DMs on my Discord server, or use Twitter DM. I'd be happy to meet up for lunch or whatever.

@@jherr How can I find your discord?

@@jherr Nevermind! I found it. I will hop on there one of these days

Well, in comparison to some of the other JWT related videos I've seen which can run into hours... it's speed-ier.

@@jherr It is to speed for my little brain but thank your for the video.

You’ll need to get a new JWT but the cookie should persist.

@@jherr Just to confirm, even after closing the tab, the cookie from set-cookie header stays in browser storage, and using that we need to get a new jwt if we open the site in new tab. Am I right?

@@sleepingsaintz Not with the code currently as written, you'd have to try to do the refresh first to know if you have a refreshToken and if that fails then force the login.

@@jherr thank you