Add expiration time for Personal API Tokens

Adonis comes with 4 types of authentication. Session, Basic Auth, JWT and Personal API Tokens. I know JWT has an option for expiration but Personal API Tokens doesn’t have. Is there a way this can be done?

Personal API tokens are designed to work as Github advertised them. So in theory, they should not have an expiration date -but we can revoke them anytime we need to.

Internally, however, it seems in AdonisJs there is not a real distinction between Personal API and JWT tokens (for example, the same function saveToken() is called to save them in the database, and by default the same table name tokens is in use in both cases). So I think you can use the same options described here.

I tried applying the options, it didn’t work.

Could you please say where did you apply that option ?

options: {                                                                                                                                   
  expiresIn: 'seconds here'                                                                                                                 
}

It should be done in the object of the api key:


api: {                                                                                                                                         
  serializer: 'lucid',                                                                                                                         
  model: 'App/Models/User',                                                                                                                    
  scheme: 'api',                                                                                                                               
  uid: 'email',                                                                                                                                
  password: 'password',
  options: {
   expiresIn: 'seconds here'
  }                                                                                                                         
 }
1 Like

Yes, that is where I applied it. I put 10 seconds and I was still able to use the token after 10 seconds

Maybe Virk designed it the right way, meaning as Laravel Passport and Githiub do: the expiration time of a Personal API token is always one year, it can not be changed optionally in Laravel Passport and is revoked automatically by Github if it is not used after one year. I hope @virk could have time to provide us a precise information about it.

1 Like

Okay thanks

Hi @olaoluwa-98!

Currently there is no such feature.

You can archive it through soft-deletes:
Going thro forums you can wait for V5
Or use soft-deletes (experimental) package

Or create job that will check for token timestamps and revoke token, when it expires.

Or extend existing ApiScheme class (or create new) with custom scheme and add timestamp checks for it. This might need some bigger changes in middleware, not too sure about it

1 Like

Maybe you are right, I did not find something related to this in the pieces of the source code I checked.

Somehow the design does not take in consideration the expiration time: I learned this for sure about AdonisJs when at least it comes to refresh tokens.

Some users complained about the fact expiresIn option does not work even for access tokens (I will implement a POC about it tomorrow, hopefully). If this is confirmed, that might be a serious security flaw.

Personally I do not like soft deletes: if data is no longer needed, I prefer to delete it because that is a pragmatic option, especially when it comes to useless JWT tokens.

1 Like

JWT expiresIn works for sure, I see a lot of those E_JWT_TOKEN_EXPIRED errors in production :slight_smile:

3 Likes

How do you check if the token expired based on the expiresIn option ?

Set token expire to 2s or some similar really short time.
Try to access anything with this token after that short time.

Or you mean how to check for expired tokens?
By default auth middleware will throw E_JWT_TOKEN_EXPIRED error
Or manually when running jwt.verify() from jsonwebtoken or auth.check() with built in auth module

1 Like