Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Improved session lengths

See original GitHub issue

Since we switched to OAuth for user logins, we’ve had sessions which only last one day. The more you use Ghost, the more annoying this gets, and with the editor now working much better on mobile devices where password managers don’t really work, this is only getting more frustrating.

Ideally we need to change the sessions so that they last for a month.

Making this change is simple, but there is a bit of consideration to be done. As far as I understand it, our refresh token expiry date is automatically extended each time it’s swapped for an access token. Moving towards using a refresh token for a month would mean that refresh tokens may be kept around almost indefinitely. Ideally, we’d probably like to swap refresh tokens for a brand new token every once in a while but I’m not sure that the oauth2orize, passport & ember-simple-auth combo we’ve got going on has any way to do that.

Thoughts on a post card!

Issue Analytics

State:
Created 8 years ago
Comments:17 (17 by maintainers)

Top GitHub Comments

1reaction

ErisDScommented, Mar 10, 2017

Should this issue be closed now?

0reactions

kirrg001commented, Feb 10, 2017

@kevinansfield and I jumped in a call.

We agreed on the following simple solution

increase access token length to 30 days
increase refresh token length to 6 month
refresh the access token on each app boot
- this means, refreshing the access token on each page refresh
  - for LTS: increasing the access token length to 30 days can still auto logout the user after 30 days, because ember would request a new access token only once and this is randomly before the 30 days expiry is reached. That’s why refreshing the tokens on each app boot will decrease the chance even more to get auto logged out
  - for LTS: the only edge case which we can’t cover is that if the user has the admin open for 30 days without refreshing the page a single time and the request to fresh the token fails because of network problems
- if this particular request fails on app boot, ember will keep the old pair of tokens
- refresh token get’s only transmitted on every page refresh and not every hour

We will add these changes both for LTS and 1.0.0 today - because of consistency and it’s quite easy to add them.

The chance of getting auto logged is almost 0 and this should cover all of our cases:

LTS auto logout when you have your blog open for an hour and ember can’t request a fresh access token because of e.g. internet problems
1.0.0 auto logout, if your refresh token expired

Facts to keep in mind

refresh token expiry get’s extended automatically when the access token get’s refreshed
on my.ghost.org our session length is 10years. Auto logout is in theory impossible.