Join the conversation

Sign in to join this conversation, and others like it, in the communities you care about.

Wekan

Wekan is an open-source kanban board (Trello like) which allows a card-based task and to-do management.

Wekan / General

login, tokens and expiration

login, tokens and expiration

Wekan / General · April 14, 2020 at 5:01pm

Once you have registered and then logged in with Password you get a token with a token expiration date.

If you do not logout ,that token and its expiration determines how long you can go to the site before you have to re-authenticate, correct?

If you logout, is that token still good for the duration of the original expiration date or are you re-issued a new token with a further in future expiration date?

Where can I change that expiration to a longer or short time? (in the api) or (in the GUI) or (in mongo collection)

Can I remove the expiration time so it never times out? (in the api) or (in the GUI) or (in mongo collection)

Can I force the token to expire prematurely with no user activity for a while (like 4 hours)? (in the api) or (in the GUI) or (in mongo collection)

I have an application where for some features for some users are already logged into another application and for many accounts they all see wekan as a web page embed, so getting another challenge/response to auth into wekan is a limitation. Call it a trust relationship between the two apps. The mother app has a very high authentication hurtle (three keys and two factor). Trting to automate or at least streamline the auth back into wekan.

Thanks as always

Load previous messages

April 15, 2020 at 3:11pm

I use both obviously

    • reply
    • like

    login expiration is a mongo setting in what collection?

      • reply
      • like

      I see resume.logintoken in user collection in mongo and they have an issue date

        • reply
        • like

        is loginexpirationinsays set to three days or zero days

          • reply
          • like

          is that in snap setup?

            • reply
            • like

            if not where?

              • reply
              • like

              If so I can manually delete the tokens whenever I want

                • reply
                • like

                like with no activity or if we have too many tokens floating around we no longer need as they have been replaced in effect by newer ones

                  • reply
                  • like

                  so I would set that (where I have to to zero and then run my own method to police in the mean time

                    • reply
                    • like

                    I looked online for wekan loginExpirationIndays did not find anything useful

                      • reply
                      • like

                      can I assume that is settable in snap?

                        • reply
                        • like

                        thanks

                          • reply
                          • like

                          April 15, 2020 at 10:23pm

                          I think those tokens are at mongodb database, but there is no snap setting for that

                            • reply
                            • like

                            the tokens are in mongo under the header resume yes

                              • reply
                              • like

                              the loginexpireindays variable I cannot find anywhere in Mongo

                                • reply
                                • like

                                unless if it not set (declared) then there is a coded default

                                  • reply
                                  • like

                                  what the link you posted above ...the line I am speaking of is:

                                    Edited
                                    • reply
                                    • like

                                    Ok i did some research, the login tokens are stored under resume.loginTokens and you can config the expiration with a setting loginExpirationInDays where null or 0 means, never delete tokens.

                                      Edited
                                      • reply
                                      • like

                                      does config mean at the snap level?

                                        • reply
                                        • like

                                        April 16, 2020 at 3:31am

                                        snap commands are environment variables passed to node.js. Those may or may not effect database in some way. It's like sudo snap set root-url='https://example.com'. You see all commands with wekan.help | less

                                          • reply
                                          • like

                                          at bash, it's export ROOT_URL=https://example.com

                                            • reply
                                            • like

                                            similarly at docker-compose.yml at https://wekan.github.io

                                              • reply
                                              • like

                                              April 16, 2020 at 5:37pm

                                              yes, I looked at wekan.help and did not see that in the listing for snap commandlines

                                                • reply
                                                • like

                                                so I guess I have to try and add that to each user in mongo directly and see what happens

                                                  • reply
                                                  • like