Auth Options

Paired Access Token and Refresh Token

• Pros
  • Paired token pattern is well-known
  • Logic on refresh can block returning a new access token
• Cons
  • Still need to know the user has been compromised to block the token
  • Would still use an authorization step to block users
  • Complicates the frontend flow
  • None of the open-source NestJS projects use this strategy

Auth Token Only

• Pros
  • Simpler logic, no need to “refresh”
  • Users can have access immediately blocked by editing account
  • Used by the open-source NestJS projects (e.g. Reactive Resume uses a 7 day token)
• Cons
  • Token can be used until it expires (but that doesn’t mean it’s authorized)