Creating Permanent AccessToken in loopback

B

2

13

How to create a permanent access token for a StrongLoop API. Now for every user login it creates an access token. And unnecessary entry in my db

I can increase the validity of access token(ttl) as mentioned here.

But still it will generate for new login.

Bisk answered 23/9, 2015 at 11:25 Comment(0)

B

7

You are mixing up 2 different things. The AccessToken entry creation and the ttl value for the AccessToken.

When a user logs in a new AccessToken is created. If the user logs out the AccessToken is removed. If the user logs in 2 times, for example from 2 different devices, then you will get 2 AccessTokens, so this way the user will be able to access your app from the 2 devices simultaneously.

If the user wants to log in from the same device and he already has a valid token, your app should recognise this and log him in automatically.

Obviously if the ttl value is expired, the token will not be valid any more. This token will be removed if is tried to be used. I guess if you don't want this records in your database, you could create a custom cron job that removes expired tokens.

Regarding the permanent access token, it will require to disable the ttl value, and that is not possible at the moment for the default AccessToken model. I created a pull request to support that, if you are interested you could chime in and see if it gets merged.

Barbusse answered 5/11, 2015 at 9:29 Comment(2)

Jesus Carrera, when you mention : ' If the user wants to log in from the same device and he already has a valid token, your app should recognise this and log him in automatically.' what do you mean. I can't find the proper method in User model or extended User model to login the user with the valid token, I am probably missing something. All I can see is a way of authenticating the user asking again the username / pwd, wich I understand it's not the way to go if the user has a valid token? Can you provide some insight on how to login the user with the valid token? – Hanafee 22/8, 2016 at 21:39

If you have a valid access token you are already logged in, you just need to supply the access token with every request that needs authentication. – Tiepolo 24/8, 2016 at 19:45

O

12

Loopback has an option that will allow you to create a permanent access token:

allowEternalTokens Boolean Allow access tokens that never expire.

https://loopback.io/doc/en/lb3/Model-definition-JSON-file.html#advanced-options

Here's what I did:

Enable allowEternalTokens for the User model

In server/model-config.json:

"User": {
  "dataSource": "db",
  "options": {
    "validateUpsert": true,
    "allowEternalTokens": true
  }
},

When logging in, set ttl to -1

User.login(
{
  email: email,
  password: password,
  ttl: -1,
},

As you've already figured out, every time you log in a new (different) access token will be created. So if you want to reuse the same access token, log in only once. You can get the access token from the AccessToken model (or directly from the database)
```
AccessToken.findOne(
{
  where: {
    userId: userId,
  },
},
```

If you have a custom user model, you can set allowEternalTokens directly in the model definition file. In addition, if you have a custom user model you'll also need to update the relations of the AccessToken model (either the built-in one or your custom one if you have it) to point to the custom user model.

More info on custom user/access token models here: http://loopback.io/doc/en/lb3/Authentication-authorization-and-permissions.html#preparing-access-control-models

Owades answered 29/5, 2018 at 19:39 Comment(1)

Thanks for answer, helped me alot :) – Langdon 24/8, 2018 at 22:24

B

7

You are mixing up 2 different things. The AccessToken entry creation and the ttl value for the AccessToken.

When a user logs in a new AccessToken is created. If the user logs out the AccessToken is removed. If the user logs in 2 times, for example from 2 different devices, then you will get 2 AccessTokens, so this way the user will be able to access your app from the 2 devices simultaneously.

If the user wants to log in from the same device and he already has a valid token, your app should recognise this and log him in automatically.

Obviously if the ttl value is expired, the token will not be valid any more. This token will be removed if is tried to be used. I guess if you don't want this records in your database, you could create a custom cron job that removes expired tokens.

Regarding the permanent access token, it will require to disable the ttl value, and that is not possible at the moment for the default AccessToken model. I created a pull request to support that, if you are interested you could chime in and see if it gets merged.

Barbusse answered 5/11, 2015 at 9:29 Comment(2)

Jesus Carrera, when you mention : ' If the user wants to log in from the same device and he already has a valid token, your app should recognise this and log him in automatically.' what do you mean. I can't find the proper method in User model or extended User model to login the user with the valid token, I am probably missing something. All I can see is a way of authenticating the user asking again the username / pwd, wich I understand it's not the way to go if the user has a valid token? Can you provide some insight on how to login the user with the valid token? – Hanafee 22/8, 2016 at 21:39

If you have a valid access token you are already logged in, you just need to supply the access token with every request that needs authentication. – Tiepolo 24/8, 2016 at 19:45

Recommended topics

Hot tags