search

miguelgrinberg / REST-auth

Example application for my RESTful Authentication with Flask article.
http://blog.miguelgrinberg.com/post/restful-authentication-with-flask
MIT License
922 stars 337 forks source link

Unlimited Token Timeout #9

Closed adamperez closed 7 years ago

adamperez commented 7 years ago

With this setup, is it possible to set an auth token to never time out? I've tried passing a negative value to see if that would work but it seems unsupported.

miguelgrinberg commented 7 years ago

I'm not sure I understand. Tokens are given with a 10 minute expiration. One related limitation that has been pointed out before (and I agree with), is that with the current structure you can use a token that is nearing its expiration to request another token, thus giving you the ability to have unlimited supply of tokens. This is acceptable for many low-security applications, but definitely not recommended in general.

In later tutorials I have made changes that require the credentials that are sent to request a token to be username and password, so passing a token would not allow you to request a new token.

adamperez commented 7 years ago

Ideally, I was hoping to make only one request for a token, then have a frontend application, or any call to my flask app, need to use just that one token without refreshing.

However, I think this can be achieved by sending user and pass in the header every time.

miguelgrinberg commented 7 years ago

Yes. You can also change the code to generate a token that does not expire, that is available as an option in itsdangerous.

adamperez commented 7 years ago

Awesome thank you so much for your input!