Sliding expiration of access token

[bajtos]

It should be possible to configure LoopBack application in such way that the access token expires after a certain time of inactivity. The current implementation supports only the expiration after a fixed time since login.

See strongloop/loopback-sdk-angular#39 for a possible solution:

// ...
app.use(loopback.token({/* config */});
app.use(function(req, res, next) {
  var token = req.accessToken;
  if (!token) return next();

  var now = new Date();

  // performance optimization:
  // do not update the token more often than once per second
  if (now.getTime() - token.created.getTime() < 1000) return;

  // update the token and save the changes
  req.accessToken.created = now;
  req.accessToken.ttl = 60; /* session timeout in seconds */
  req.accessToken.save(next);
});
// register other middleware, etc.

[bajtos]

I am closing this issue, since no user was asking for this enhancement and it clearly was not a priority for us so far. We can reopen it again later when there is more demand.

[meng-zhang]

Sorry I did not see this before. I think this is very useful. Especially for mobile apps. Please reopen. 👍

[bajtos]

@meng-zhang I am afraid we don't have bandwidth to implement this anytime soon. Would you mind submitting a pull request?

• add a configuration option for enabling the sliding expiration, probably via AccessToken.settings.slidingExpiration
• implement sliding expiration in loopback.token middleware

[diegonetto]

I didn't see any reference of this in the docs, so I assume it still hasn't been implemented?

If so I'd like to take a stab at it.

[raymondfeng]

@diegonetto It's not implemented. Contribution is welcome!

[jamesw6811]

@diegonetto I would definitely use this as well

Perhaps the onus could be on the client-side? Generate a new accessToken using the current accessToken?

[tib]

@bajtos I think you should call next() every time before you return. :)
This is how it should look like if you want to keep alive the token for a week.

server.js

app.use(loopback.token());
app.use(function(req, res, next) {
    var token = req.accessToken;
    if (!token) {
        return next();
    }
    var now = new Date();
    if ( now.getTime() - token.created.getTime() < 1000 ) {
        return next();
    }
    req.accessToken.created = now;
    req.accessToken.ttl     = 604800; //one week
    req.accessToken.save(next);
});
...
app.start...

[F3L1X79]

@tib thanks a lot!

[seanmangar]

@bajtos Can this issue be reopened? I wouldn't mind giving it a shot.

[superkhau]

@seanmangar Feel free to submit a PR and link to this issue. We can reopen it at that time.

[murbanowicz]

It would be really useful !

[zalos]

+1

This would be very handy. We have a need to have an inactivity be the cause of logout, as well as the database access for this would be slow, hooking to memcache or redis would be way faster.