Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?

I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinking is the following:

  • All connections must be over HTTPS; plain HTTP requests will be redirected to HTTPS.
  • Users have a username and password, which they create.
  • A client submits a username/password to a /login route; if it’s a valid password for that user, the server will return a short-lived access token and a long-lived refresh token.
    • The access token will be a signed JWT that identifies the user and has an expiration time.
    • The refresh token will be a GUID corresponding to a row in a database table; this row will store the user ID
  • When accessing protected routes (everything but /login), an access token will be required. The server will verify the signature, and if valid, will check the expiration time. If the token is not expired, the user ID will be made available to server-side code for authorization logic.
  • If the access token is expired, the client will automatically submit the refresh token to a /refresh endpoint for requesting a new access token. The server will check the database; if a corresponding row still exists, a new access token will be returned to the client.

Does this scheme sound secure?

How to approach long-lived feature code reviews in trunk based development?

My understanding is that trunk based development should rely on direct commits to master or short-lived feature branches that are merged with master. Incomplete work can be placed inside functions that are then toggled off with feature flags.

For short-lived feature code review: developers can work together in person to review work before/shortly after it is committed to the master branch, or they can create pull requests from their short-lived feature branch to master and review before merge.

I’m working on a project where code review would be beneficial and currently a lot of the team’s (3-4 juniors and 1 Sr.) features are long-lived. It seems like the code review approach would be to use feature flags to hide incomplete work, and then have developers break a long-lived feature out into discrete chunks of work that live on short-lived feature branches. These can be reviewed via pull request as the feature progresses to completion.

The reason I’m considering recommending this flavor of trunk-based development over GitFlow is because the Git knowledge there is thin so fear of merge conflicts looms large for the team. They also currently practice trunk-based development except that they don’t have automated testing, use branches, perform code review, and don’t use feature flags so deployment get delayed because of unfinished work sitting on master.

Is infrequent syncing in trunk based development similar to long-lived feature branch in GitFlow?

So if my thinking is correct, in Git my local copy of master is a branch. If that’s the case, then would the first diagram of GitFlow below also apply to Trunk Based Development? Not how TBD should be practiced (second image), but rather what would occur if two developers were working on their local copy of master and only infrequently merging / pushing with the remote master.

If the main benefit from TBD is to avoid semantic and textual merge conflicts that are difficult to solve by integrating frequently with the trunk then I see these benefits diminishing as merge frequency diminishes

Images from https://martinfowler.com/bliki/FeatureBranch.html

GitFlow

Continuous Integration