Do I need to check JWT expiration on client side?

2
votes

I'm developing website like classified ads with Django REST framework, react and redux. I have a question about authentication with JWT. I want to use djangorestframework_simplejwt for authenticate and I've checked a few tutorial. I saw that many tutorial are checking access token on client side like below

export function isAccessTokenExpired(state) {
 if (state.access && state.access.exp) {
   return 1000 * state.access.exp - (new Date()).getTime() < 5000
 }
 return true
}

and refresh token as well. But I don't know why. Because just request new access token with refresh token every time we got HTTP 401 Unauthorized error with expired access token.

The workflow that I thought is

  1. Send server a request with access token to get page which only authenticated user can see.
  2. If access token is expired, frontend will get HTTP 401 Unauthorized error.
  3. Send server a request with refresh token to get new access token, then frontend will store it to localStorage.
  4. Send a request again.

Is this bad way?

My apologies with my poor English...

1
reactjsdjango-rest-frameworkreact-reduxjwtdjango-rest-framework-jwt

1 Answers

3
votes

You shouldnt be checking the JWT on the client side. A JWT is basically a token that the server has given you that is "assumed" valid. When you send the token back, the server will tell you if the token is not valid in the form of Http Status Code 401 - Unauthorized