Is this the correct way to use AWS Cognito?


I am doing the following in my React/Node App:

  1. Using the User Pools for a Cognito App that I have created
  2. Calling the /login endpoint with response_type=token in my React App
  3. Once I receive the JWT token, I pass it to my node/express server in a header (my server is using ssl)
  4. On the Node server, using cognito-express package to call cognitoExpress.validate(accessTokenFromClient, callback) to validate the token
  5. If the call is successful, saving the user details (email etc) and the jwt in localStorage in the React App

And then, for every call to my server, I am repeating steps 3 and 4 above (validating jwt) to ensure that the user is Authenticated.

My concerns with the above approach is:

  1. I am unsure if the cognito-express is actually calling Cognito, or is it just decoding the jwt and making a decision on its validity locally

  2. I tried leaving the session open overnight, and I expected that the call to cognitoExpress.validate(accessTokenFromClient, callback) would fail (because the jwt expires in a hour), but it didnt. Does this mean that an expired jwt token is considered as a valid claim

  3. If the user was Authenticated and his JWT has expired, how do I refresh the JWT without asking him to login again?