Question: Do authorization tokens expire?

[mrkvon]

I noticed that every time i sign in, i receive the same token. Afaik we don't have any logout endpoint, do we?

Do tokens expire? If not, this might be a security issue (stolen tokens, guessed tokens)

edit: this is for future reference, no need to resolve it now (frontend (almost) doesn't care)

[lamanchy]

There's no expiration, I don't think it's necessary, everyone wants to keep logged in as long as possible. But I have no problem implementing it, we can discuss it later.

But I'll provide logout API, since frontend uses token, but backend uses session auth and API login logs you into backend as well.

Can you add "next" url param for login page? So bis.lomic.cz/login?next=/admin/ would redirect you to /admin/ after login?

[mrkvon]

Can you add "next" url param for login page? So bis.lomic.cz/login?next=/admin/ would redirect you to /admin/ after login?

yes, we'll do that 👍🏾 (https://github.com/mrkvon/bis-frontend/issues/3)

I don't think it's necessary

It's equivalent to password, only it can be tried as many times as attacker pleases

a great authoritative resource regarding anything security related is OWASP (link to session management/expiration cheat sheet)

[mrkvon]

@lamanchy

Can you add "next" url param for login page? So bis.lomic.cz/login?next=/admin/ would redirect you to /admin/ after login?

Implemented in https://github.com/mrkvon/bis-frontend/pull/5

It's deployed at https://dev.bis.lomic.cz. You can test and let us know if anything doesn't work as expected

(please note: only /admin/*** routes leave the React app. e.g. https://dev.bis.lomic.cz/login?next=https://example.com will rather lead to https://dev.bis.lomic.cz/https://example.com. This is to prevent an unnecessary redirect when staying within the app, and to prevent potential attacks. If more routes are necessary, please request them, we'll add them...)