Add cookie support to stay logged in

[cybermcm]

Describe the solution you'd like Like your project, clean and simple! A request: Currently, it is necessary to log on every time I use it. There is no cookie set to stay connected, which would simplify its usage. Cookie lifetime should be variable, I'd set it to forever. Thanks

[Casvt]

This feature will be included together with the admin panel feature (#1). That feature is all about "management", so it's fitting if this gets done together with that.

You said that you'd set the cookie lifetime to forever. This suggests that you basically want to disable password auth. I can understand that if you're the only one using it and/or don't have it port forwarded. I want to add a feature to the admin panel where you can disable password auth. This does force the following rules:

1. Aside from the admin account, only one account is allowed.
2. The admin account still has a password.

Sounds good? Again, this is on top of being able to stay logged in for X time. I just think that that will be a better option for you when it comes out than setting the lifetime to forever \:)

[cybermcm]

@Casvt: Thank you for your detailed answer! My use case is slightly different to your description. I'm self-hosting, and I want to share this service with my family, so only one admin account is not my intention. I'm using MIND with my mobile phone to track reminders, and it is not practical to log on every time I want to use the service. So currently the best solution would be to log on and stay logged in (using Chrome mobile browser).

[Casvt]

Oh okay. Then the lifetime option will still just work for you.

[Casvt]

Hey there, it's been a bit of time but I'm working on MIND again and am looking at adding your request soon.

I've looked at the relevant code and this is the current situation:

1. When logging in, an API key is granted to the browser that it uses each request. This key is valid for one hour.
2. This key is stored in the 'session storage' of the browser (a storage space for a browser tab that lasts as long as the tab is open). When the tab is closed, the storage is deleted and thus you'll need to log in again after that.

Based on this, we would need to do two things to achieve what you want:

1. Put the key in the 'local storage' (sustains past a closed tab, "permanent" storage for a tab). This means that after the tab is closed, the key is still saved and can be used next time when accessing the page. This is safe because after one hour, the key is still made invalid. This all means that with local storage, when you log in, you stay logged in for one hour no matter how often you open and close the tab.
2. Allow to change how long the key is valid. For example from one hour to a week. Setting it to not expire at all is dangerous but I could allow a max age of a month for example. And a button to expire all api keys for your account, in case one is stolen.

Point 1 can be done right now. Point 2 will be included in the admin panel update. Does that sound good?

[cybermcm]

@Casvt: Thanks for taking your time and working on the project again! Your points sound reasonable and fine! Just an additional question: Is the key lifetime extended if I use the page, so that the lifetime is extended every time I use the service or is this a fixed date and e.g. after one month I have to relogin again?

[Casvt]

Both can be done. I'll make it an option in the admin panel:

"Expire key after given amount of time starting from:

1. Creation of key (login)
2. Last use of key"