-
Notifications
You must be signed in to change notification settings - Fork 74
Conversation
a9b076b
to
e45c865
Compare
f95ceee
to
6a0ef45
Compare
56d0679
to
52e97a7
Compare
1269fd8
to
4b7988c
Compare
@@ -64,18 +64,32 @@ config :ewallet_config, | |||
position: 105, | |||
description: "The duration (in minutes) that a forget password request will be valid for." | |||
}, | |||
"atk_lifetime" => %{ | |||
key: "atk_lifetime", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm having problems with those names 😅 Can we just call it auth_token_lifetime
and pre_auth_token_lifetime
? more verbose, but clearer.
@@ -52,6 +53,7 @@ defmodule EWalletDB.AuthToken do | |||
) | |||
|
|||
field(:expired, :boolean) | |||
field(:expire_at, :naive_datetime_usec) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be expired_at
🔨 Refactor tests
2cf87c4
to
3ddf46a
Compare
0a60bcd
to
ed5eae2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lovely! 👏👏👏❤️❤️❤️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving, but can you fix the PR description to reflect the changes you've made (name of fields, etc.). Another small thing to add to the description of the configurations would be what 0
means - it never expires, right?
a916dda
to
7478905
Compare
Issue/Task Number: #953
Closes #953
Overview
This PR implements the authentication token expiration.
The default behavior of this feature is: the authentication token will never be expired unless the settings (:pre_auth_token_lifetime and :auth_token_lifetime) are set to the integer which more than zero.
Changes
expire_at
toAuthToken
andPreAuthToken
:pre_auth_token_lifetime
in the setting to specify how long thePreAuthToken
can be used.:auth_token_lifetime
in the setting to specify how long theAuthToken
can be used.PreAuthToken
orAuthToken
or both.Implementation Details
Every authenticated apis call
AuthToken.authenticate
. This PR adds some logic around there to check whether the authentication token'sexpire_at
has lapsed.So the main logic was implemented pretty much like this:
That means If it has lapsed, then set
expire: true
, otherwise refresh the authentication token by advance anexpire_at
to the nextpre_auth_token_lifetime
orauth_token_lifetime
seconds.How to test?
1.
mix do ecto.migrate, omg.server
Open the admin panel and login
Try to wait for
x
seconds (the value you've set at the previous step) to see if the auth token is expired or keep refreshing the webpage withinx
seconds to see if auth token is refreshed.Impact
This PR requires a re-seeding of the settings using
mix seed --settings
. The steps after a deploy are therefore:mix ecto.migrate
mix seed --settings