In my recent encounter, I was trying to implement JWT Tokens storing securely in the Front-End.
What my previous approach is to store access_token as well refresh_token in sessionStorage which is vulnerable to XSS attacks. Now, when access_token expires, I'll call for /refresh endpoint to obtain a new access_token. Here I'm passing expired JWT into Authorization Header. The idea here is to protect your refresh endpoint and make sure only logged-in users ask for the token.
After that, we change the implementation to prevent XSS and CSRF. And followed this, LocalStorage vs. Cookies
which recommend, store your access token in memory, and store the refresh token in the cookie. so from FE, we can't access the cookie.(HTTPOnly cookie) and access_token
Now the real challenge is when the page refresh, we lose access_token as we stored it into in-memory, and API asks for Expired JWT token.
So my question is, does /refresh endpoint requires an expired JWT token, or is that a good practice to use the refresh token without JWT token.