multiple tokens per user

[dennisoderwald]

Hi,

we want to allow multiple tokens per user. It always updates the existing entry. Its possible?

[dennisoderwald]

Multiple Tokens seperate via Session Id Handling - every Request with a valid token update 'updated_at' field in users table. Maybe?

[tappleby]

I just saw your PR #33, I wont be merging this one since the main advantage with auth tokens is they are not tied to a specific session ID.

The issue with multiple tokens per user is all existing tokens are being purged when a new one is created, the original reason for doing this was lack of expiration on the tokens. Once #23 is implemented purging the tokens wont be a requirement.

[dennisoderwald]

@tappleby That's not correct. In my PR (#33), I delete all tokens with the same session_id, not all entries per user. A expire can implemented like 'expired_at' and check with a cronjob for handling the ghosts in the database.

But with your actually release it's not possible to store multiple tokens per user and anyone cannot create a multiple token required app.

I think my solution with handling session id's - is a compromise.

Did you look at my code?

[tappleby]

I did look over your code, it also failed the Travis CI build (probably a missing dependency).

My point with "deleting all tokens per user" was referring to the current release.

I am hesitant to add the session package as a dependency, unless absolutely required. The sessions depend on cookies + the state of the server, Ideally the auth tokens are portable + stateless. With PR #33 there is no way to delete all auth tokens, it depends on having a matching session id. I think something like the remember_token functionality with laravel auth which gets invalidated on logout might be better suited; purge all tokens on logout (destroy) instead of on create.

The expired_at + artisan task via cron is something I have been looking at. I have also been looking into JSON Web tokens (JWT), One advantage I see with these is all the information is stored in the token which means you don't even need the DB table or cron job. The main downside is you don't have a record of tokens issued on the server.

[bastiendonjon]

I think it is a good idea. Otherwise what if a user connect to two different location of an api. And must not remove that last session?

[sanketsahu]

Multiple session is a much needed feature. Is it on your list?

[bastiendonjon]

Finally, for this i use Oauth2 https://github.com/lucadegasperi/oauth2-server-laravel

[schilakamarri]

Is there an update on this?

[jdhiro]

This would really be helpful in my project. I'm expecting a single user to sign in on multiple devices, and it's not ideal if they get signed out of other devices when they do that. Thanks!

[sanketsahu]

It may be unrelated but I am switching to Node.js with Sails framework for APIs because of obvious reasons.

[jdhiro]

@sanketsahusoft seems silly to switch an entire language/framework/server because one module doesn't do exactly what you want out of the box. If you're going to do all that work, you could just add the feature and submit a PR ;)

[sanketsahu]

@jdhiro I love PHP and Laravel and moreover I really like this laravel-auth-token package and I have also used it in one of my projects. I am not switching to another language and framework for the reason of this particular issue. It's a complete different discussion and so I started off with "It may be unrelated..."

Just wanted to let the people know about other possibilities which may be helpful. :-)

[sanketsahu]

I forked this project to provide multiple sign-in https://github.com/sahusoftcom/laravel-auth-token

I actually just commented out the line which was clearing all the tokens of the same user.

Known bug: It does not clear the sessions if there is no logout performed leaving many entries in the database.

[jdhiro]

@sanketsahusoft :+1:

[dennisoderwald]

Update?

[esmaeilzadeh]

this is not a backend only feature. client side should provide an identifier for each device that wants to login, so when you logout from one of these devices, the access token of this device will be erased and when you re login to each device the access token related to that device will be updated.

[malhal]

I'd really like to see this feature too. If the same user can't be logged in simultaneously on all their devices its pretty useless.