Obsolete authorization tokens not deleted?

[Oblosys]

I noticed in https://www.shotvibe.com/admin/phone_auth/authtoken/?p=10 that for a single User/Description pair there may be several authorization tokens. Is there a reason to keep the old ones? Or has it been fixed and is this simply an old database. (My own (multiple) registration actions did not seem to leave any old tokens around.)

[benny-shotvibe]

This is also security related. We should only allow a single Auth Token to exist for an individual phone number: it doesn't make sense for a user to be simultaneously logged in from multiple devices with the same phone number.

Note however, that it is possible for users to be logged in with multiple Auth Tokens from multiple devices (tablets).

In order to handle this I think we need a new (nullable) PhoneNumber column in the AuthToken model. We'll do this later

[Oblosys]

For testing, it can be nice to have the same phone number for several devices (including the simulator). Also if someone puts his sim card in a different phone, it may make sense to keep the authorization in tact, but this is not a very common situation.

[benny-shotvibe]

Yep, I agree. We should make sure that there is only a single auth token for a single phone number. we'll handle this later