devise_token_auth icon indicating copy to clipboard operation
devise_token_auth copied to clipboard
verified publisher icon lynndylanhurley

Don't allow the newly created token to be ejected in `clean_old_tokens`

Open theblang opened this issue 1 year ago • 5 comments

We hit an odd situation with our Pingdom user, where it ended up having 10 tokens (the default max_number_of_devices) with an expiry slightly too far into the future. That in itself is still a mystery. But it caused a situation where the user couldn't log in, because the newly created token (with a proper expiry) was the one being ejected in clean_old_tokens. I think we should change that logic to never eject the token that was just created, otherwise the user can't sign in. Barring my odd situation, you might do something like change token_lifespan to be earlier.

theblang avatar Feb 29 '24 16:02 theblang

Got same problem here, me and my team suspect of this year being a leap year is causing that behavior.

dalima-dev avatar Feb 29 '24 18:02 dalima-dev

me and my team suspect of this year being a leap year is causing that behavior.

Ahh, that's a good thought!

theblang avatar Feb 29 '24 19:02 theblang

Although I think we should focus on cause of the tokens that get generated with a larger expiry than the configured lifespan the changes you suggest could solve the problem

pedroara avatar Feb 29 '24 21:02 pedroara

I could know how to fix it but I wasn't able to reproduce it with a test, so any more reproduction info is useful.

MaicolBen avatar May 19 '24 17:05 MaicolBen