I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinking is the following:
- All connections must be over HTTPS; plain HTTP requests will be redirected to HTTPS.
- Users have a username and password, which they create.
- A client submits a username/password to a
/loginroute; if it’s a valid password for that user, the server will return a short-lived access token and a long-lived refresh token.
- The access token will be a signed JWT that identifies the user and has an expiration time.
- The refresh token will be a GUID corresponding to a row in a database table; this row will store the user ID
- When accessing protected routes (everything but
/login), an access token will be required. The server will verify the signature, and if valid, will check the expiration time. If the token is not expired, the user ID will be made available to server-side code for authorization logic.
- If the access token is expired, the client will automatically submit the refresh token to a
/refreshendpoint for requesting a new access token. The server will check the database; if a corresponding row still exists, a new access token will be returned to the client.
Does this scheme sound secure?