在 Rails 中设置令牌的超时

发布于 2024-12-03 05:48:08 字数 76 浏览 1 评论 0原文

如何为给定的身份验证令牌设置超时？超时后，令牌将被删除，用户将无法在其请求中使用它。

我正在使用 Rails 3 并设计。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

夜无邪 2024-12-10 05:48:08

我也在寻找这个功能，但没有找到直接实现的方法。

您可以在每次登录时重置身份验证令牌，并使用可记住的中间内容：

在您的应用程序控制器中，在 after_sign_in_path_for() 中：

resource.reset_authentication_token

在 devise.rb 中：

config.remember_for = 1.day

或者您可以创建一个 cron 作业来定期清除其中的无效authentication_token 条目用户表。

I was looking for this feature too, but didn't find a way to do it directly.

You can reset the authentication token on each sign-in and use the rememberable in-between:

in your application controller, in after_sign_in_path_for():

resource.reset_authentication_token

in devise.rb:

config.remember_for = 1.day

Or you can create a cron-job to periodically clear the invalid authentication_token entries from the users table.

回复收藏 0 原文

夏见 2024-12-10 05:48:08

我不确定这是否正是您正在寻找的，但这是 Devise 中的一个简单选项。
如果您在 config/initializers/devise.rb 中设置以下选项，

则 Devise 将在30

分钟不活动后使令牌过期。 Devise 对会话身份验证执行的相同操作也应适用于 authentication_token。

我在当前的项目中使用了它，并使用 Timecop gem 对其进行了测试：

it "should timeout without activity after 30 minutes" do
    auth_token = @user.authentication_token

    get "/frontend/users/#{@user.id}.json?auth_token=#{auth_token}"
    response.status.should == 200

    Timecop.travel(45.minutes.from_now)
    get "/frontend/users/#{@user.id}.json?auth_token=#{auth_token}"
    response.status.should == 401 

    Timecop.return
end

此外，我不认为令牌遵循与评论之一中提到的用户/密码组合相同的类比，因为您不会以纯文本形式存储密码，但可以使用令牌来存储。我建议在每次注销后重置令牌。

I'm not sure if that's exactly what you are looking for, but this is a simple option in Devise.
If you set the following option in config/initializers/devise.rb

config.timeout_in = 30.minutes

then Devise will expire the token after 30 minutes of inactivity. The same operations that Devise does for session authentication should also work with the authentication_token.

I have used that in my current project and tested it using Timecop gem:

it "should timeout without activity after 30 minutes" do
    auth_token = @user.authentication_token

    get "/frontend/users/#{@user.id}.json?auth_token=#{auth_token}"
    response.status.should == 200

    Timecop.travel(45.minutes.from_now)
    get "/frontend/users/#{@user.id}.json?auth_token=#{auth_token}"
    response.status.should == 401 

    Timecop.return
end

Also, I don't believe that the token follows the same analogy as user/password combination as mentioned in one of the comments, since you wouldn't store your password in plain text but you do with your token. I would recommend resetting the token after each logout as well.

回复收藏 0 原文

橘和柠 2024-12-10 05:48:08

在设计初始值设定项文件

#/config/initializers/devise.rb

# ==> Configuration for :timeoutable
# The time you want to timeout the user session without activity. After this
# time the user will be asked for credentials again. Default is 30 minutes.
config.timeout_in = 1.day

# If true, expires auth token on session timeout.
config.expire_auth_token_on_timeout = true

At devise initializer file

#/config/initializers/devise.rb

# ==> Configuration for :timeoutable
# The time you want to timeout the user session without activity. After this
# time the user will be asked for credentials again. Default is 30 minutes.
config.timeout_in = 1.day

# If true, expires auth token on session timeout.
config.expire_auth_token_on_timeout = true

回复收藏 0 原文

~没有更多了~