Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Count non expiring tokens when determining if the limit is reached #318

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Count non expiring tokens when determining if the limit is reached #318

wants to merge 1 commit into from

Conversation

morty
Copy link

@morty morty commented Oct 12, 2023

Fixes #280

Thanks to @pablomm for the code in the ticket

@giovannicimolin
Copy link
Contributor

@morty @pablomm Thanks for the contribution! That's a nice catch!

I have one concern with this change though. Once we start considering non-expiring tokens, it is possible that users end up getting locked out of their accounts after issuing a certain number of tokens without logging out properly.

We either need this behind settings flag or a way for new log-ins to remove the oldest unused token.
Do you think my concern makes sense?

@pablomm
Copy link

pablomm commented Oct 18, 2023

HI @giovannicimolin and thanks to @morty for turning the fix into a pull request.

In my case, I use these non-expiring tokens for users that uses my platform through an API. They have access to a control panel (which they access with another authentication system) where they can create, view and delete their api tokens (knox tokens which may be non-expiring). So logging out does not make sense in my use case.

The problem you comment, wouldn't it also happen if someone creates too many tokens within the expiration time?

@morty
Copy link
Author

morty commented Oct 18, 2023

To get to this situation two settings (TOKEN_TTL and TOKEN_LIMIT_PER_USER) would have had to be changed from their default values. That's a deliberate choice. For TOKEN_LIMIT_PER_USER to be ignored without warning if TOKEN_TTL is None seems dangerous. Maybe a warning in the documentation for TOKEN_LIMIT_PER_USER saying that when the limit is reached users won't be able to get another one until one of their tokens has timed out and if they are non-expiring then will be locked out until they can use another method to delete a token?

My client is using this with a very small number of end users where they could handle support requests to delete tokens if required. I could see this wouldn't be possible where there are a very large number of end users.

If LogoutAllView allowed other authentication methods like LoginView then the user could clean out their tokens with username and password. But it looks like this might have been explored before based on the warning in the docs for the LogoutAllView.

@johnraz johnraz mentioned this pull request May 2, 2024
Closed
@johnraz
Copy link
Collaborator

johnraz commented May 2, 2024

@morty @giovannicimolin I believe the change made here makes full sense, this is clearly a bug that needs to be fixed.

I would add a note to the documentation (and probably a comment in the code) that clearly explains the consequence of having dangling non-expiring tokens around.

Using non-expiring tokens should be also discouraged as it's a bad practice anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Tokens with no maximum expiration time are not counted towards the maximum number of tokens allowed
4 participants
@morty @giovannicimolin @pablomm @johnraz