Feature: Token expiration

[rockfridrich]

Are you going to provide token expiration functionality? It is very useful for Mobile Apps API's
Thank you!

[tappleby]

I am hoping to revisit how the tokens are generated soon. I had looked into possibly using Json Web Tokens (JWT) instead of storing them in the db (JWT can support expiration).

The one challenge with storing the tokens in the DB is when they become invalid, you will need a cron job to clean out the old entries.

[atinder]

+1

[dennisoderwald]

+1

[Tasemu]

+1

[AntonNiklasson]

Any progress on this one?

[tappleby]

None yet, it will probably come with a redis driver.

For the database driver I was thinking of integrating with the Indatus/dispatcher package to handle cleanup of expired tokens.

[jrm2k6]

Any news on this?

[tappleby]

Still none yet. I haven't used this library in over a year which means it hasn't been getting much of my attention lately.

The dilemma I am facing right now is the upcoming plans I had for this package are now mostly covered by tymondesigns/jwt-auth, I'm not sure if it makes sense to have 2 packages doing almost the same thing.

[jrm2k6]

Yes, I see, this is what I have also been checking. I just started on a new project at work on your package was already in use, so I decided to go with it. Maybe switching to jwt-auth is the right thing to do.

[iparq]

Actually, I don't want to clear out old entries. They make a nice record of login attempts and I don't really care about keeping the table small. Furthermore, I would like it to be possible to honor multiple tokens for a period of time. Why?

The auth tokens are used to authenticate mobile apps that are used like cash registers. The mobile apps are often deployed in areas of sketchy connectivity. They will store data locally until a good network connection becomes available again. Each single transaction has the auth token recorded with it. It has been known to happen that a device's battery simply dies in the field and it gets set aside. The user will start using a new device. The old device hasn't uploaded its transactions yet. When the device finally gets a charge and a network, I find the auth tokens are gone and I'm stuck with a device with a bunch of field records on it with invalid auth tokens. This is WAY NOT COOL according to my clients.

Thus, I need the tokens to stay in the database, forever. But I want to configure a max age for which one will be honored, along with a soft delete, for forced logout (like when a user turns in their device and cashes out).

Those are my requirements, I'll be forking now to get them...;-)