Merge pull request #322 from waltaskew/develop

Add configuration for token expiration
pallets-eco · May 2, 2015 · e4d9d3a · e4d9d3a
2 parents f2a5e4b + 897b2fc
commit e4d9d3a
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/AUTHORS b/AUTHORS
@@ -36,3 +36,4 @@ Rotem Yaari
 Srijan Choudhary
 Tristan Escalada
 Vadim Kotov
+Walt Askew
diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -37,6 +37,10 @@ Core
 ``SECURITY_TOKEN_AUTHENTICATION_HEADER`` Specifies the HTTP header to read when
                                          using token authentication. Defaults to
                                          ``Authentication-Token``.
+``SECURITY_TOKEN_MAX_AGE``               Specifies the number of seconds before
+                                         an authentication token expires.
+                                         Defaults to None, meaning the token
+                                         never expires.
 ``SECURITY_DEFAULT_HTTP_AUTH_REALM``     Specifies the default authentication
                                          realm when using basic HTTP auth.
                                          Defaults to ``Login Required``

diff --git a/flask_security/core.py b/flask_security/core.py
@@ -75,6 +75,7 @@
     'EMAIL_SENDER': 'no-reply@localhost',
     'TOKEN_AUTHENTICATION_KEY': 'auth_token',
     'TOKEN_AUTHENTICATION_HEADER': 'Authentication-Token',
+    'TOKEN_MAX_AGE': None,
     'CONFIRM_SALT': 'confirm-salt',
     'RESET_SALT': 'reset-salt',
     'LOGIN_SALT': 'login-salt',
@@ -192,7 +193,7 @@ def _user_loader(user_id):
 
 def _token_loader(token):
     try:
-        data = _security.remember_token_serializer.loads(token)
+        data = _security.remember_token_serializer.loads(token, max_age=_security.token_max_age)
         user = _security.datastore.find_user(id=data[0])
         if user and safe_str_cmp(md5(user.password), data[1]):
             return user