JWT Expiration

[mu4farooqi]

Once ws connection is established, how to deal with JWT refreshes? For example when we establish ws connection with anycable-go, it makes an RPC call to anycable-rails to validate JWT. Now what if JWT expires after a minute? Shouldn't we check expiry of JWT on each message instead of only just in the connection phase?

[palkan]

That's a good question.

Currently, we assume that once authenticated the client stays so for the whole lifetime. That fits most of the use cases (since its similar to other authentication methods, e.g., cookies, custom tokens, etc.).

We have a feature (opt-in) in the backlog to automatically disconnect clients with the token_expired reason as soon as they exceeded their TTL. That would work if a JWT token is validated at the AnyCable WS server side.