Why both refresh and auth tokens are valid to authorize mutation requests?! #144
Description
Hello guys,
I also have the problem which is somehow mentioned in this issue.
I preferred to create new issue because of the proper title and some clarifying.
As I know, we have to use auth/access token (which is fetched by login mutation) in our requests header to authorize and gain access to query mutations. Afterwards we just renew the token whenever it expires, using new token returned by refreshJwtAuthToken. Therefore we send previously fetched refresh token to refreshJwtAuthToken mutation.
But I have tried using both auth/access token AND refresh token in authorization header of a mutation request (for addPost mutation as an example) and both work!!
I think refresh token must not be valid as auth/access token for requests but it is!
This could be prone to attack because refresh token is long lived. Thus, if anyone steal it or even own it can use it for long time to query mutations on the server.
Am I wrong?
Could anyone help?
Thank you in advance.