laravel-auth-token icon indicating copy to clipboard operation
laravel-auth-token copied to clipboard

Published 20 hours ago verified publisher icon tappleby

Feature: Token expiration

Open rockfridrich opened this issue 10 years ago • 10 comments

Are you going to provide token expiration functionality? It is very useful for Mobile Apps API's Thank you!

rockfridrich avatar Jun 06 '14 19:06 rockfridrich

I am hoping to revisit how the tokens are generated soon. I had looked into possibly using Json Web Tokens (JWT) instead of storing them in the db (JWT can support expiration).

The one challenge with storing the tokens in the DB is when they become invalid, you will need a cron job to clean out the old entries.

tappleby avatar Jun 08 '14 17:06 tappleby

+1

atinder avatar Jun 12 '14 17:06 atinder

+1

dennisoderwald avatar Jun 29 '14 14:06 dennisoderwald

+1

Tasemu avatar Aug 14 '14 05:08 Tasemu

Any progress on this one?

AntonNiklasson avatar Sep 01 '14 19:09 AntonNiklasson

None yet, it will probably come with a redis driver.

For the database driver I was thinking of integrating with the Indatus/dispatcher package to handle cleanup of expired tokens.

tappleby avatar Sep 02 '14 22:09 tappleby

Any news on this?

jrm2k6 avatar Feb 17 '15 22:02 jrm2k6

Still none yet. I haven't used this library in over a year which means it hasn't been getting much of my attention lately.

The dilemma I am facing right now is the upcoming plans I had for this package are now mostly covered by tymondesigns/jwt-auth, I'm not sure if it makes sense to have 2 packages doing almost the same thing.

tappleby avatar Feb 17 '15 23:02 tappleby

Yes, I see, this is what I have also been checking. I just started on a new project at work on your package was already in use, so I decided to go with it. Maybe switching to jwt-auth is the right thing to do.

jrm2k6 avatar Feb 17 '15 23:02 jrm2k6

Actually, I don't want to clear out old entries. They make a nice record of login attempts and I don't really care about keeping the table small. Furthermore, I would like it to be possible to honor multiple tokens for a period of time. Why?

The auth tokens are used to authenticate mobile apps that are used like cash registers. The mobile apps are often deployed in areas of sketchy connectivity. They will store data locally until a good network connection becomes available again. Each single transaction has the auth token recorded with it. It has been known to happen that a device's battery simply dies in the field and it gets set aside. The user will start using a new device. The old device hasn't uploaded its transactions yet. When the device finally gets a charge and a network, I find the auth tokens are gone and I'm stuck with a device with a bunch of field records on it with invalid auth tokens. This is WAY NOT COOL according to my clients.

Thus, I need the tokens to stay in the database, forever. But I want to configure a max age for which one will be honored, along with a soft delete, for forced logout (like when a user turns in their device and cashes out).

Those are my requirements, I'll be forking now to get them...;-)

iparq avatar May 14 '15 00:05 iparq