CodingDoug
commented
1 year ago Right now the options for expiration are "none" and "default". If "none" is the new default, then what are the options going to be?
Closed penberg closed 1 year ago
CodingDoug
commented
1 year ago Right now the options for expiration are "none" and "default". If "none" is the new default, then what are the options going to be?
athoscouto
commented
1 year ago We do the current way because non-expiring tokens require extra care.
We could add a prompt or warning telling them that. I don't want a CLI cluttered with too many of those. But maybe we're not there yet.
haaawk
commented
1 year ago The problem is that using expiring token without realising it causes a serious troubles. Switching non-expiring token to expiring usually does not cause down time. Token expiring in the middle of the night causes an incident.
So in fact expiring tokens require extra care or you may experience down time of your system and real loss for your business. non-expiring tokens are less secure but that's still better than your service/app stopping to work suddenly. Unless we have refresh tokens, non-expiring tokens is probably what most people will be using. Manually refreshing tokens is just too much pain.
penberg
commented
1 year ago I don't see much downside in non-expiring tokens by default because you can always turso db tokens invalidate if you leak one.
@CodingDoug The options for --expire should probably be never (default) and some human readable time duration, for example "7d" or something.
StefanoSaffran
commented
1 year ago I was taking a look at this one, but after doing some tests, I think it depends on some changes in the API too, right?
I did a quick look there and I didn't find an issue about it, should I create it?
haaawk
commented
1 year ago I created on here https://github.com/chiselstrike/iku-turso-api/issues/385 @StefanoSaffran
People will run
turso db tokens create, which expires by default. Let's make a non-expiring token by default.