Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token expires too soon #933

Closed
edwardmp opened this issue Jul 27, 2017 · 6 comments
Closed

Token expires too soon #933

edwardmp opened this issue Jul 27, 2017 · 6 comments

Comments

@edwardmp
Copy link

edwardmp commented Jul 27, 2017
edited
Loading

I love this gem but stumbled into an issue lately.

I manually create a token by calling create_new_auth_token on a User.
Right after that, the created token works fine. But a few days later it will no longer works, as if it has been expired.

Here's the strange thing though. The expiry timestamp that is returned on create_new_auth_token indicates a much later date (e.g. in this example 6 August 2017, yet as of today it is already expired). Is there a limit to the amount of clients stored and is the oldest removed at some point?

Here's some relevant config:

DeviseTokenAuth.setup do |config|
  # By default the authorization headers will change after each request. The
  # client is responsible for keeping track of the changing tokens. Change
  # this to false to prevent the Authorization header from changing after
  # each request.
  config.change_headers_on_each_request = false

  # By default, users will need to re-authenticate after 2 weeks. This setting
  # determines how long tokens will remain valid after they are issued.
  config.token_lifespan = 2.weeks

  # By default, only Bearer Token authentication is implemented out of the box.
  # If, however, you wish to integrate with legacy Devise authentication, you can
  # do so by enabling this flag. NOTE: This feature is highly experimental!
  config.enable_standard_devise_support = false
end
@nicholasshirley
Copy link

nicholasshirley commented Jul 30, 2017
edited
Loading

There is a default limit of 10 "devices" per user. You can override this in the config file by uncommenting:

# Sets the max number of concurrent devices per user, which is 10 by default.
# After this limit is reached, the oldest tokens will be removed.
# config.max_number_of_devices = 10

The clients seem to be expired oldest first (i.e. if I log in with by browser, then call create_new_auth_token 10 times on the user in the console, the browser client is "expired"). Are you calling create_new_auth_token 10 times on the same user when testing?

EDIT: sorry, I just realized that you are not changing tokens with each request. In this case, calling create_new_auth_token even one time will invalidate the previous token

@edwardmp
Copy link
Author

Hey @nicholasshirley

Thanks for your response. I generate a new token once daily. So if create_new_auth_token invalidates all old tokens, how can I generate a new token without invalidating the old ones?

@nicholasshirley
Copy link

Can you tell me more about your use case? You would like to have a single user have a new token each day, but they should also be able to use an older token generated for their account so long as it is not expired?

@edwardmp
Copy link
Author

edwardmp commented Jul 31, 2017
edited
Loading

@nicholasshirley

Yeah here's my use case. So I have a bunch of hardware (specifically RFID card readers) that fire HTTP requests to a central server once a RFID card is scanned. Although this happens over an internal network I still want some form of authentication. The way this kind of hardware works is that I can't pass any headers with a token etc, so I append them as query parameters and set the headers programmatically based on the query params once I receive these kind of requests on the central server.

The configs of these RFID readers is updated each night automatically: this is where a generate a new token, basically I just change the web hook URL that these readers call when an event happens. It might be okay to invalidate all older tokens at this point. Still, I've got the impression that somehow the tokens are invalidated even before the new token is generated, which is less than a day after creation.

@edwardmp
Copy link
Author

edwardmp commented Aug 1, 2017
edited
Loading

@nicholasshirley

just did some testing. First I created a token using create_new_auth_token and confirmed that it works to authorize an user. Then I ran create_new_auth_token again. Both the old and the new token keep working, so calling create_new_auth_token definitely doesn't seem to invalidate old tokens immediately unless you hit max_number_of_devices.

I just realized I have 10+ of the RFID readers and when each one is updated at night a new token is generated for each individual unit, probably causing the first few units to get their token expired shortly when the 10th unit is updated. Going to try increasing max_number_of_devices and see what happens.

@zachfeldman
Copy link
Contributor

Seems as if this strategy worked! @edwardmp feel free to reopen if not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zachfeldman @nicholasshirley @edwardmp