Requesting new refresh tokens

[AmSmart]

I am opening this as an issue because discussions are not enabled on this repo. I love and use this template that you have provided because of its simplicity and effectiveness. I'd love to ask a question though. Is there any reason why a user needs to have a valid access token in order to call the /refresh-token endpoint?

[changhuixu]

I would say, most of online tutorials don't have this. So it might be ok to not need a valid access token to refresh token.

However, if we look at the refresh tokens generation (below), we need to understand the risks that enumerating all refresh tokens is not difficult and we can brute force to get tokens for some users.

JwtAuthDemo/webapi/JwtAuthDemo/Infrastructure/JwtAuthManager.cs

Lines 128 to 134 in 3ebda08

	private static string GenerateRefreshTokenString()
	{
	var randomNumber = new byte[32];
	using var randomNumberGenerator = RandomNumberGenerator.Create();
	randomNumberGenerator.GetBytes(randomNumber);
	return Convert.ToBase64String(randomNumber);
	}

[AmSmart]

I didn't even consider this. This is a good enough reason. Thanks for the response!