search

rainlab / user-plugin

Front-end user management.
Other
113 stars 154 forks source link

Questions: around the JWT token #535

Closed chrisvidal closed 6 months ago

chrisvidal commented 6 months ago

Is there a plan to include an expiry date for the JWT token? With that, mobile app and other would know if they should refresh the token or not instead of receiving a blank 403 status code error after a while

Second question: what is the session token duration per default and can we change it?

thanks

daftspunk commented 6 months ago

Hi @chrisvidal

Yes, the expiry is set here:

$expireAt = Carbon::now()->addMinutes(Config::get('rainlab.user::bearer_token.ttl') ?? 60);

You can set it in the file-based configuration. It is currently set to 60 minutes.

chrisvidal commented 6 months ago

thanks @daftspunk which version of the plugin is this available? I dont find this setting on the v2.1.0. alos, is it possible to add the expiry date available through the session token so that we can get it from an external API call?

daftspunk commented 6 months ago

Yes, it should be available in the token as exp and available in v2.1

chrisvidal commented 6 months ago

this is weird, I dont see it in the config.file and there is no auth config file.

this is the config fie I see in the v2.1.0

<?php

use RainLab\User\Models\Settings;

return [

    /*
    |--------------------------------------------------------------------------
    | Activation mode
    |--------------------------------------------------------------------------
    |
    | Select how a user account should be activated.
    |
    | ACTIVATE_ADMIN    Administrators must activate users manually.
    | ACTIVATE_AUTO     Users are activated automatically upon registration.
    | ACTIVATE_USER     The user activates their own account using a link sent to them via email.
    |
    */

    'activateMode' => Settings::ACTIVATE_AUTO,

    /*
    |--------------------------------------------------------------------------
    | Allow user registration
    |--------------------------------------------------------------------------
    |
    | If this is disabled users can only be created by administrators.
    |
    */

    'allowRegistration' => true,

    /*
    |--------------------------------------------------------------------------
    | Prevent concurrent sessions
    |--------------------------------------------------------------------------
    |
    | When enabled users cannot sign in to multiple devices at the same time.
    |
    */

    'blockPersistence' => false,

    /*
    |--------------------------------------------------------------------------
    | Login attribute
    |--------------------------------------------------------------------------
    |
    | Select what primary user detail should be used for signing in.
    |
    | LOGIN_EMAIL       Authenticate users by email.
    | LOGIN_USERNAME    Authenticate users by username.
    |
    */

    'loginAttribute' => Settings::LOGIN_EMAIL,

    /*
    |--------------------------------------------------------------------------
    | Minimum Password Length
    |--------------------------------------------------------------------------
    |
    | The minimum length of characters required for user passwords.
    |
    */

    'minPasswordLength' => 8,

    /*
    |--------------------------------------------------------------------------
    | Remember login mode
    |--------------------------------------------------------------------------
    |
    | Select if the user session should be persistent.
    |
    | REMEMBER_ALWAYS   Always persist user session.
    | REMEMBER_ASK      Ask if session should be persistent.
    | REMEMBER_NEVER    Never persist user session.
    |
    */

    'rememberLogin' => Settings::REMEMBER_ALWAYS,

    /*
    |--------------------------------------------------------------------------
    | Sign in requires activation
    |--------------------------------------------------------------------------
    |
    | Users must have an activated account to sign in.
    |
    */

    'requireActivation' => true,

    /*
    |--------------------------------------------------------------------------
    | Throttle registration
    |--------------------------------------------------------------------------
    |
    | Prevent multiple registrations from the same IP in short succession.
    |
    */

    'useRegisterThrottle' => true,

    /*
    |--------------------------------------------------------------------------
    | Throttle attempts
    |--------------------------------------------------------------------------
    |
    | Repeat failed sign in attempts will temporarily suspend the user.
    |
    */

    'useThrottle' => true,
];
daftspunk commented 6 months ago

It's there, although, I think we never made a release for it:

https://github.com/rainlab/user-plugin/blob/2.x/config/config.php#L133

chrisvidal commented 6 months ago
image

If I search inside the plugin code, i don't find this line of code $expireAt = Carbon::now()->addMinutes(Config::get('rainlab.user::bearer_token.ttl') ?? 60);

nor a simple bearer_token.ttl

daftspunk commented 6 months ago

Try targeting this version in composer: 2.x-develop

chrisvidal commented 6 months ago

when i try this, composer is not happy :)

Could not parse version constraint 2.x-develop: Invalid version string "2.x-develop"

daftspunk commented 6 months ago

Sorry I think its 2.x-dev