Store access tokens as a post type

WP-API / OAuth1

OAuth server implementation for WP API

http://oauth1.wp-api.org/

327 stars 109 forks source link

Store access tokens as a post type #215

Open spacedmonkey opened 6 years ago

spacedmonkey commented 6 years ago

Currently user access tokens are stored as an option. This has a number of down sides, includes

Extremely hard to query, with for all or by user
Options table is not designed to scale to millions of rows.
Access tokens are not directly linked to users and are not deleted when user accounts for removed.

Making the access token a post type, fixes all these issues.

kosso commented 6 years ago

Don't forget to handle the expiry of the token.

(Does this plugin handle that yet? Last time I looked, the database was getting clogged up with loads of them)

I also agree that options are not a good place to store these.

But wouldn't a user meta field be a better fit than a post type?

spacedmonkey commented 6 years ago

@kosso I have answered the question of using user meta in the PR, if you want to take a look over the for an answer.

As for expiring tokens, I am not sure that this is handled yet, or not at least I can see. If the token was a post, then we could use the post created date and sheduled event to clean out expired tokens.

The nice thing about storing is as post, is that once a user is deleted, the token does with it. So that should mean less useless token in the database.