First of all, the post is great, it has helped me a lot. I have it so very close to working. The encryption/decryption appears to be working fine, and it will set the refresh token in the cookie in the response, but that's as far as I can get.

I can't be 100% sure, but I think you may have some typos in the code you posted? I can't seem to get it to work as-is.

For example, in the function generateTokensAndAuthenticateUser(), you have await generateAccessToken(userId) immediately followed by a non-awaited generateRefreshToken(userId).

That doesn't make much sense to me. Are you completely sure that this code actually works when using the code you posted, verbatim?

Another one that I can't seem to get working is the step where you refresh the token by looking at req.cookies... That request object never has a property named 'cookies' for me. It does though, have the cookie set in the headers, under the name 'cookie', so const [tokenName, tokenEncrypted] = req.headers.cookie.split('=') gives me 'refresh_token' and the gibberish contents of the token, respectively.

Another place that I had trouble with concerned the expirations of the tokens. It appears upon signing the token that you are using a value meant to mean expiresIn (a number of sec from now) and when that value appears again, it seems as if you're treating it as an absolute timestamp.

Oh, I should mention, I converted your ts into plain javascript to attempt this. So there's a possibility that I messed that up somehow, but still that doesn't explain the strange little discrepancies I see in the code as posted.

Thank you so much. I don't want to sound like I'm complaining. It looks like this took a lot of work to put together, and I've definitely learned a lot from it.

Btw, others have mentioned, do you have this on github anywhere? It would make this whole process 100x easier.