change to authentication token and response data
This commit is contained in:
@@ -82,6 +82,19 @@ todo: integration tests bombing due to side effect of dltoken creation changing
|
||||
which if same account login again breaks
|
||||
FIX: fix below and implment new dl token plan will fix this
|
||||
|
||||
todo: dl token and multiple logins
|
||||
- what if user fetches dl token *after* login from route and server returns existing valid dl token from first jwt key login?
|
||||
- but same issue really, because eventually the token expires and so what happens then, they've just logged in, fresh jwt but dltoken has 1 minute left on it
|
||||
- possible steps:
|
||||
user login
|
||||
fetch session data after login
|
||||
- route sees no dltoken or expired, generates new one and returns it
|
||||
|
||||
User login again
|
||||
fetch session data after login
|
||||
- route sees valid dltoken still and just returns it
|
||||
|
||||
|
||||
todo: JWT tokens, revoking expiring etc, look at this: https://github.com/ptboyer/restful-api-design-tips#authentication
|
||||
todo: PLANNING session tracking to prevent logging in from multiple devices with same account
|
||||
- right now if I login as same user on another browser the download token becomes invalid on the first computer
|
||||
@@ -92,13 +105,11 @@ todo: PLANNING session tracking to prevent logging in from multiple devices with
|
||||
- JWT TOKEN for image download??
|
||||
- JWT TOKEN too large? sb as tiny as possible, currently too much info in it?
|
||||
ACTION:
|
||||
- First determine if this is a bad thing or should be supported to some degree.
|
||||
- like, maybe user is in more than one tab at the same time?
|
||||
- or, maybe user is signed in at office and on road and needs both up??
|
||||
- Is there *any* reason to support this considering users can just make as many accounts as they need to ensure no overlap.
|
||||
- what could go wrong other than dl tokens?
|
||||
- See if jwt gets sent back to server with the dl token, if not, consider adding it somehow so can ensure it's still valid at server
|
||||
- if not valid then sends a 401 not authorized
|
||||
- I've decided to *NOT* allow simultaneous same login sessions
|
||||
- If user logs in then prior jwt is invalidated somehow (in db tracking)
|
||||
- So user's won't share passwords, gives more control and security and supports future 2fa scenario
|
||||
- This will absolutely FUCK UP the integration tests so I guess I need a workaround for that
|
||||
- Actually, are they really logging in fresh again? I think it logs in once and then shares the token...must check
|
||||
|
||||
todo: User dl token and other data in JWT not required should be fetched seperately
|
||||
Currently in token WAY too much stuff:
|
||||
|
||||
@@ -46,10 +46,10 @@ export function processLogin(response) {
|
||||
apiToken: response.data.token,
|
||||
authenticated: true,
|
||||
userId: Number(token.id),
|
||||
userName: token.name,
|
||||
roles: token["ayanova/roles"],
|
||||
userType: token["usertype"],
|
||||
dlt: token["dlt"]
|
||||
userName: response.data.name,
|
||||
roles: response.data.roles,
|
||||
userType: response.data.usertype,
|
||||
dlt: response.data.dlt
|
||||
});
|
||||
|
||||
//Initialize the application
|
||||
|
||||
Reference in New Issue
Block a user