Join the conversation

Sign in to join this conversation, and others like it, in the communities you care about.

Wekan

Wekan is an open-source kanban board (Trello like) which allows a card-based task and to-do management.

Wekan / General

login, tokens and expiration

login, tokens and expiration

Wekan / General · April 14, 2020 at 5:01pm

Once you have registered and then logged in with Password you get a token with a token expiration date.

If you do not logout ,that token and its expiration determines how long you can go to the site before you have to re-authenticate, correct?

If you logout, is that token still good for the duration of the original expiration date or are you re-issued a new token with a further in future expiration date?

Where can I change that expiration to a longer or short time? (in the api) or (in the GUI) or (in mongo collection)

Can I remove the expiration time so it never times out? (in the api) or (in the GUI) or (in mongo collection)

Can I force the token to expire prematurely with no user activity for a while (like 4 hours)? (in the api) or (in the GUI) or (in mongo collection)

I have an application where for some features for some users are already logged into another application and for many accounts they all see wekan as a web page embed, so getting another challenge/response to auth into wekan is a limitation. Call it a trust relationship between the two apps. The mother app has a very high authentication hurtle (three keys and two factor). Trting to automate or at least streamline the auth back into wekan.

Thanks as always


April 15, 2020 at 12:49am

Hmm, it seems 2018 called again about token issue https://github.com/wekan/wekan/issues/1437

    • reply
    • like

    April 15, 2020 at 3:09pm

    ok that issue is a good reference thank you

      • reply
      • like

      so

        • reply
        • like

        I may be incorrect in my assumptions

          • reply
          • like

          gui tokens have that attribute loginExpirationinDays or is that REST tokens?

            • reply
            • like

            I use both obviously

              • reply
              • like

              login expiration is a mongo setting in what collection?

                • reply
                • like

                I see resume.logintoken in user collection in mongo and they have an issue date

                  • reply
                  • like

                  is loginexpirationinsays set to three days or zero days

                    • reply
                    • like

                    is that in snap setup?

                      • reply
                      • like

                      if not where?

                        • reply
                        • like

                        If so I can manually delete the tokens whenever I want

                          • reply
                          • like

                          like with no activity or if we have too many tokens floating around we no longer need as they have been replaced in effect by newer ones

                            • reply
                            • like

                            so I would set that (where I have to to zero and then run my own method to police in the mean time

                              • reply
                              • like

                              I looked online for wekan loginExpirationIndays did not find anything useful

                                • reply
                                • like

                                can I assume that is settable in snap?

                                  • reply
                                  • like

                                  thanks

                                    • reply
                                    • like

                                    April 15, 2020 at 10:23pm

                                    I think those tokens are at mongodb database, but there is no snap setting for that

                                      • reply
                                      • like

                                      the tokens are in mongo under the header resume yes

                                        • reply
                                        • like

                                        the loginexpireindays variable I cannot find anywhere in Mongo

                                          • reply
                                          • like

                                          unless if it not set (declared) then there is a coded default

                                            • reply
                                            • like

                                            what the link you posted above ...the line I am speaking of is:

                                              Edited
                                              • reply
                                              • like

                                              Ok i did some research, the login tokens are stored under resume.loginTokens and you can config the expiration with a setting loginExpirationInDays where null or 0 means, never delete tokens.

                                                Edited
                                                • reply
                                                • like

                                                does config mean at the snap level?

                                                  • reply
                                                  • like

                                                  April 16, 2020 at 3:31am

                                                  snap commands are environment variables passed to node.js. Those may or may not effect database in some way. It's like sudo snap set root-url='https://example.com'. You see all commands with wekan.help | less

                                                    • reply
                                                    • like