Allow per-token timeout

[alanjds]

Hi.

I'll need some tokens to have arbitrary timeout, like some minutes for ones and "until revoked" for others. Any tip on how to implement this?

My plan is to use this with https://github.com/tomchristie/django-rest-framework, as said in encode/django-rest-framework#9

[jpulgarin]

This wouldn't be that hard to implement. Right now the token is made up of the timestamp in base 36, followed by a dash, followed by a hash of the username and the timestamp (so that you can verify that the base 36 time stamp has not been tampered with).

Simply prepend the token with how long it should be valid for (and a special value for "never"), and make sure to use it as part of the hash as well so as to avoid tampering.

The code you want is in tokenapi/tokens.py.