token managment

[nikto1]

Took a look at the token management and the tokens in the tokens.jsonl file are never deleted. With time this would cause a huge file if you work with tokens instead of username+pass to login.

Wouldn't it be much better to: 1) make a tokens.jsonl file for each group. Actually an admin from one group can see all tokens while he should just see the tokens from his own group. 2) delete the token completely instead of just modifying the expiry date of the token. As for now you have to go through a list of 20, 50, ecc. tokens in order to modify the expiry time. 3) using the token revoke function by /revoke user instead of /revoke link, much easier to write + a username is always easier to remember while a link is impossible to remember. 4) supposing 1 is already implemented, delete the jsonl file an x amount of time/ after a meeting is finished or the .jsonl file gets deleted together with the group.json file.

[jech]

Took a look at the token management and the tokens in the tokens.jsonl file are never deleted.

They are deleted a week after they expire: https://github.com/jech/galene/blob/master/token/stateful.go#L372

(The reason they are not deleted earlier is that it is possible to extend a token after it has expired using /reinvite.)

make a tokens.jsonl file for each group

That was my first design and I even started coding it, but it turned out to be too complicated, so I settled for the current design. We can always revisit this if there are clear advantages to the more complex approach.

Actually an admin from one group can see all tokens while he should just see the tokens from his own group.

It's not supposed to do that: https://github.com/jech/galene/blob/master/token/stateful.go#L329. Have you actually tried it, or are you just guessing?

using the token revoke function by /revoke user instead of /revoke link

Not a bad idea, but we usually use tokens with no username, so we haven't found the need for this feature. Additionally, you'd need to define what to do when there are multiple tokens for the same user. I'd be open to accepting a patch that adds a new command that does what you suggest.

supposing 1 is already implemented, delete the jsonl file an x amount of time/ after a meeting is finished

We already delete the file when all tokens have expired, see https://github.com/jech/galene/blob/master/token/stateful.go#L264.

[nikto1]

They are deleted a week after they expire: https://github.com/jech/galene/blob/master/token/stateful.go#L372

Maybe would be better to delete tokens as soon as there is no one in the meeting, let's say for 2 hours. Obviously it's a bit more of work to detect if there are no users in the meeting.

It's not supposed to do that: https://github.com/jech/galene/blob/master/token/stateful.go#L329. Have you actually tried it, or are you just guessing?

my bad, sorry, working fine.

Not a bad idea, but we usually use tokens with no username, so we haven't found the need for this feature.

oh ok, got it. So you're generating tokens for anonymous users, they're not supposed to have a username but they can choose one if they want. The approach we're using is generating directly a token + username, so they don't have to choose a name, which is a few clicks less; calling them "anonymous (anon)" isn't the best thing. Would be good if it's possible to delete tokens by username too (if any), faster to type and easier to remember.

[jech]

They are deleted a week after they expire: https://github.com/jech/galene/blob/master/token/stateful.go#L372

Maybe would be better to delete tokens as soon as there is no one in the meeting

Why would it be better?

Would be good if it's possible to delete tokens by username too

As I've said before, I think it's a good idea.

[nikto1]

Why would it be better?

because the file gets big if you have quite some meetings running each day and you're working only with tokens. Waiting 7 days in order to get the tokens deleted is IMO too much. I'm not using username/ password login, only using tokens login, easier and faster for users.

As for now i'm working with cUrl calls so all the json group files and the jsonl file stuff is automatized, based on a calendar where you can schedule conferences/ meetings. I have no idea how other galene users are managing files/ tokens, ecc. I think each one has it's own requirements and mostly people don't care how big a file gets.

[jech]

because the file gets big if you have quite some meetings running each day

How large is your tokens file? A token is less than 200 bytes, so I have trouble conceiving of a situation where the size of the tokens file is an issue.

[nikto1]

How large is your tokens file?

no idea about the actual size in kb, i just saw a huge list of tokens in the file itself so i tought it would be a good idea to delete them as soon as there's no one in the conference for x hours.