Fix refresh tokens

[jor-rit]

Trying to get an new token, with an 'expired' token results in an
signature error. The token is decoded with verification of 'exp' claim.
Only the orig_iat claim should be verified in this case.

Problem is the JWT_DECODE_HANDLER does not have an option to disable exp verification.
Changing the default handler would be an backwards incompatible change... not sure how you guys would want to handle that.
So in this pull it has it's own call to jwt.encode...

Fixes #249

[kodeine]

+1 for this

[kodeine]

any idea when this will be merged?

[kodeine]

@jorrit-wehelp i've tried your repo with this pull request. but i am still getting Refresh has expired. error.
Following is my setting.

'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=7200),
'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7),

[tvanhouten]

👍

[jor-rit]

@kodeine This pull only avoids the 'Error decoding signature.' error.
With this pull request the 'Refresh has expired.' is only thrown when 'orig_iat' field (original issued at timestamp) is expired.
But do note that the 'orig_iat' field is not updated/changed when a new token is generated during refresh...
so orig_iat field functions as a kind of maximum reuse bound for the session...
Not what many people would expect from 'refresh tokens functionality', but it's another issue that I left out of this pull request.

[wlwg]

This would solve issue #92

[edelvalle]

👍

[blueyed]

#348 is meant to update this.

Do you agree?

[jor-rit]

Yeah, agree. This pull is old and now has merge conflicts. Superseded by #348