Expressframework~30 mins

Refresh token concept in Express - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Implementing Refresh Token Concept in Express

📖 Scenario: You are building a simple authentication system for a web app using Express. You want to keep users logged in securely by using access tokens and refresh tokens.Access tokens expire quickly, so you need a way to get a new access token without asking the user to log in again. This is done using refresh tokens.

🎯 Goal: Build a basic Express server that issues access tokens and refresh tokens, stores refresh tokens, and allows clients to get new access tokens by sending a valid refresh token.

📋 What You'll Learn

Create an Express app with a route to login and issue tokens

Store refresh tokens in memory

Create a route to accept a refresh token and issue a new access token

Create a route to logout and remove the refresh token

💡 Why This Matters

🌍 Real World

Refresh tokens are used in real web apps to keep users logged in without asking for credentials repeatedly. This improves user experience and security.

💼 Career

Understanding refresh tokens is important for backend developers working on authentication and security in web applications.

Progress0 / 4 steps

Setup Express app and login route

Create an Express app by requiring express and calling express(). Then create a POST route /login that sends a JSON response with accessToken set to 'access123' and refreshToken set to 'refresh123'.

Express

const express = require('express');
const app = express();

// Create POST /login route
// Your code here

Need a hint?

Use express() to create the app. Use app.post('/login', (req, res) => { ... }) to create the login route.

Add in-memory storage for refresh tokens

Create a variable called refreshTokens and set it to an empty array []. Then, inside the /login route, add the string 'refresh123' to the refreshTokens array.

Express

const express = require('express');
const app = express();

// Create refreshTokens array
// Your code here

app.use(express.json());

app.post('/login', (req, res) => {
  // Add 'refresh123' to refreshTokens
  // Your code here
  res.json({ accessToken: 'access123', refreshToken: 'refresh123' });
});

app.listen(3000);

Need a hint?

Use const refreshTokens = [] to create the array. Use refreshTokens.push('refresh123') inside the login route.

Create /token route to refresh access token

Add a POST route /token that reads refreshToken from req.body. Check if refreshTokens includes this refreshToken. If yes, respond with JSON containing accessToken set to 'newAccess123'. If not, respond with status 403 and JSON message { error: 'Forbidden' }.

Express

const express = require('express');
const app = express();

const refreshTokens = [];

app.use(express.json());

app.post('/login', (req, res) => {
  refreshTokens.push('refresh123');
  res.json({ accessToken: 'access123', refreshToken: 'refresh123' });
});

// Create POST /token route
// Your code here

app.listen(3000);

Need a hint?

Use app.post('/token', (req, res) => { ... }). Read refreshToken from req.body. Use refreshTokens.includes(refreshToken) to check validity.

Add /logout route to delete refresh token

Create a POST route /logout that reads refreshToken from req.body. Remove this refreshToken from the refreshTokens array using filter. Respond with status 204 and no content.

Express

const express = require('express');
const app = express();

const refreshTokens = [];

app.use(express.json());

app.post('/login', (req, res) => {
  refreshTokens.push('refresh123');
  res.json({ accessToken: 'access123', refreshToken: 'refresh123' });
});

app.post('/token', (req, res) => {
  const refreshToken = req.body.refreshToken;
  if (refreshTokens.includes(refreshToken)) {
    res.json({ accessToken: 'newAccess123' });
  } else {
    res.status(403).json({ error: 'Forbidden' });
  }
});

// Create POST /logout route
// Your code here

app.listen(3000);

Need a hint?

Use app.post('/logout', (req, res) => { ... }). Remove the token from refreshTokens using splice. Send status 204 with res.sendStatus(204).