The backend API gives out a access/refresh token pair on login. The access token is short lived and the refresh token is long lived.
I was thinking about storing those tokens in a HttpOnly cookie.
Then it's easy enough to read it from a server hook (hooks.server.ts), and if the access token has expired, then request a new access/refresh token pair using the refresh token and override the previous cookies.
In a server side load function I'd then want to use the access token to request data from the API.
But the hook doesn't always run, like when client side navigation is happening, only on hard refresh.
So the access token could by expired and refreshed.
Guess I could have another refresh mechanism on the load as well, but I'm not sure.
Where are people storing the access/refresh token pairs and handling the refreshing when the access token has expired?