Add a margin to the automatic JWT refresh

[jdhoek]

By configuring refreshMargin the JWT gets refreshed that many seconds
before the current token expires.

PR for #32.

[jdhoek]

I've had a go at implementing the feature I suggested in #32 by adding a configurable parameter that defaults to 0. It might actually make sense to default to some value (10 seconds? A minute? 5 minutes?), but I'm just getting my feet wet with JSON Web Tokens, so I might be mistaken.

[validkeys]

+1 on this one. All of my refresh requests keep getting cancelled as the JWT is expired by the time the refresh makes the requests.

Great work @jdhoek

[jpadilla]

I definitely thought this would have been an issue. @erichonkanen haven't you run into this?

This looks pretty good as is to me, not too sure about the actual name for the setting refreshMargin, definitely not against it. We use leeway in PyJWT.

[hoIIer]

@jpadilla I have not run into this issue in any of the projects Ive used this with. Two of these projects are deployed to heroku currently in an ember-cli client/django backend setup with proxy.

The only thing I can think of for me is that I have JWT_LEEWAY set to 3 seconds on the django jwt side.

That said it seems logical to have something like this.

cheers

[hoIIer]

@validkeys have you tried setting a leeway on the server side? that is the most likely reason you ran into this and I didn't

[jdhoek]

@jpadilla
leeway does sound better, I'll push a commit renaming this to refreshLeeway.

I'm implementing a Java API that serves up and refreshes JWT. I considered giving the timeout some leeway server-side, but that would encourage an API where the client sends expired or very nearly expired tokens to the server. That doesn't feel quite right in terms of a clean API, although for all practical purposes both approaches should work equally fine.

[jdhoek]

Thanks for the 👍 vote of confidence.

@jpadilla
I've updated the documentation in README.md as well, please have a look if all is in order there.

[validkeys]

@erichonkanen I didn't but I just tried it out and that works well for me. Having that hint as part of the documentation would be great for JWT noobs (like me) (Best Practice would be to include a leeway in your JWT's decode method server side).

[validkeys]

@erichonkanen @jpadilla put a quick note into the docs: /pull/34

[jdhoek]

Thanks!