Reputation: 17793
Timeout for authentication_token only, not for database authenticable
In config/initializers/devise.rb file,
config.timeout_in = 30.minutes
But this affects both users logging from browser and also, resets auth_token I think. But, I need to reset auth_token only after a small amount of time. How to do that?
Upvotes: 1
Views: 121
Answers (1)
Reputation: 23648
You can control the behavior of the token timeout through creating a class method called expire_auth_token_on_timeout in your User model. If this method is set devise will reset the token upon timeout (alongside the user session). (This is defined in timeoutable.rb)
Now if you want to expire the auth token sooner than that you can just hook into the same warden hook and check this yourself and call record.reset_authentication_token! yourself.
The callback in question is after_set_user as described in the warden wiki
But you have to think about how you go about this and maybe create a seperate timestamp in your model that logs the last auth-token access to make sure you expire it after a certain amount of time. (You should also be able to determine if the request is a token request through the request object - keep in mind you are at the rack level, thus you can access the request through the env object).
I am sorry I can't provide any sample code for this, but you'll have to play around with the implementation and I don't have a test-case handy.
Upvotes: 2
Related Questions
- set timeout for a token in rails
- 401s during low network connectivity with rails api using devise-token-auth
- Rails Devise and devise_token_auth. Not working alongside
- problems using devise token auth
- Token authentication with Rails and Devise
- Devise - Timeout not working
- Devise does double 401 with redirect after timeout
- Server-side timeout issues with Devise
- Token Authentication in Devise
- Devise on Rails timeout on :token_authenticatable?