foal
foal copied to clipboard
Remembering users?
Although the framework provides authenticating and fetching user from database, it seems to miss remember me
functionality. Would be great if there was a built-in way to do this.
Laravel provides a layer called Auth
for authenticating user and dealing with its state even permission gates. Again, I am not forcing anybody to follow laravel in every step, but there are proven benefits on their abstraction. Checkout these:
https://github.com/laravel/framework/blob/5.8/src/Illuminate/Auth/
https://laravel.com/docs/5.8/authentication#remembering-users
https://laravel.com/docs/4.2/upgrade#upgrade-4.1.26
This is a valid issue. Thank you for raising it!
I'm moving this to the To-Do
list.
In the meantime, it is possible to simulate a "remember me" feature that will apply to all users by extending the timeouts values (for example by specifying a year as value): https://github.com/FoalTS/foal/blob/master/docs/authentication-and-access-control/session-tokens.md#session-expiration-timeouts
Hello @LoicPoullain,
I looked into the docs already, to think about an implementation to this feature. Yet, you can choose to set timouts using this guide in the docs: https://foalts.org/docs/authentication-and-access-control/session-tokens#session-expiration-timeouts
So for this feature, in the process of saving the user to the session:
ctx.session.setUser(user)
there needs to be another parameter, like a boolean "rememberMe". If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.
Or do you already have another Idea, how to implement such a feature?
Hi @scho-to 👋
If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.
This issue is more complex. One way to implement the remember me feature would be simply to increase bother idle and absolute timeouts to a value further in the future. But this involves some security concerns as authentication tokens should have a short lifetime.
There is a big study to be done here that involves studying the OWASP recommendations and the state of the art in other web frameworks.