Restrict token reuse
Closed this issue · 0 comments
Hi !
First of all, thanks for this gem ! I was looking for passwordless gem but i'm using devise and i need to keep it because i'm also using doorkeeper with devise. So your gem is perfect for my use case.
I just miss one thing ! I didn't see any configuration to restrict token reuse. It's important to be able to make magic link that expire after first use, that really enforce security of magic links.
I would like to do it by my self, but i'm not even sure it could be done because the way the gem was made. Tokens seems to be stateless, so i don't see how to revoke them.
But i also found that there is an "passwordless_expire_old_tokens_on_sign_in" option, so it seems that we can expire tokens by hand.
Can we ?
Thanks for your helps.
EDIT: Sorry, i just realized how dumb was my request. In fact, the passwordless_expire_old_tokens_on_sign_in option is exactly what i need. I was looking for token expiration but after digging in the code, i saw that the gem take last_login time and make an comparaison with the token creation time. The result is the same, as soon as a login is successfull, all tokens are expired because last_login has been updated. No need to expire tokens one by one ...
Sorry for the useless issue !