diff --git a/auth_utility.go b/auth_utility.go
index 7833b40..2348f8b 100644
--- a/auth_utility.go
+++ b/auth_utility.go
@@ -119,12 +119,20 @@ func RefreshAuthToken(req *http.Request) (TokenClaims, error) {
 	tokenstr := strings.TrimPrefix(authHead, "Bearer ")
 	token, err := jwt.ParseWithClaims(tokenstr, &TokenClaims{}, secretFunc)
 	if err != nil {
-		return TokenClaims{}, err
+		if validation, ok := err.(*jwt.ValidationError); ok {
+			// don't return error if token is expired
+			// just extend it
+			if !(validation.Errors&jwt.ValidationErrorExpired != 0) {
+				return TokenClaims{}, err
+			}
+		} else {
+			return TokenClaims{}, err
+		}
 	}
 
 	// type assertion
 	claims, ok := token.Claims.(*TokenClaims)
-	if !ok || !token.Valid {
+	if !ok {
 		return TokenClaims{}, errors.New("token is not valid")
 	}
 
@@ -164,33 +172,6 @@ func RbacCheck(req *http.Request, authRoles []string) bool {
 	return false
 }
 
-// TODO
-func AuthCheck(req *http.Request, authRoles []string) (*TokenClaims, error) {
-	if authRoles == nil {
-		return &TokenClaims{}, nil
-	}
-
-	// validate token and check expiration date
-	claims, err := GetTokenClaims(req)
-	if err != nil {
-		return &TokenClaims{}, err
-	}
-	// check if token has expired
-	if claims.ExpiresAt < (time.Now()).Unix() {
-		return &TokenClaims{}, errors.New("token has expired")
-	}
-
-	// check if role extracted from token matches
-	// any of the provided (allowed) ones
-	for _, r := range authRoles {
-		if claims.Role == r || r == "*" {
-			return claims, nil
-		}
-	}
-
-	return claims, errors.New("role is not authorized")
-}
-
 // GetTokenClaims extracts JWT claims from Authorization header of the request.
 // Returns token claims or an error.
 func GetTokenClaims(req *http.Request) (*TokenClaims, error) {