With accounts-* package, the login will be maintained for default 90 days. the token will be cached to localstorage and the next time user open the browser, it will login automatically again.
but for some app, this is not right and secure. for example, for an admin app, user need to perform a one-time login, and keep the token in memory to make it safe for it will be remove on closing of browser.
So how would you implement one-time login?
see this issue
You can configure how long it stays valid in the accounts settings.
Try this: https://atmospherejs.com/zuuk/stale-session
reoh
August 10, 2016, 9:05pm
3
After you login, remove the login data from storage:
Meteor.loginWithPassword(user, () => {
Meteor._localStorage.removeItem('Meteor.userId');
Meteor._localStorage.removeItem('Meteor.loginToken');
Meteor._localStorage.removeItem('Meteor.loginTokenExpires');
Accounts._autoLoginEnabled = false;
});
If using latest package (1.3+), you should be able to just:
Meteor.loginWithPassword(user, () => {
Accounts._unstoreLoginToken();
Accounts._autoLoginEnabled = false;
});
3 Likes
This does work, awsome! it really should be made a config option of Accounts
.
1 Like
Nice find @reoh ! It will need some maintenance to make sure it stays working in new releases because it changes some core variables.
Isn’t this setting sufficient for you: https://docs.meteor.com/api/accounts-multi.html#AccountsCommon-config loginExpirationInDays
Not sure what happens if you turn it to 0 (zero). You might want to test that. I think it sets this variable:
/**
* @summary Get the current user record, or `null` if no user is logged in. A reactive data source.
* @locus Anywhere but publish functions
* @importFromPackage meteor
*/
Meteor.user = function () {
return Accounts.user();
};
// how long (in days) until a login token expires
var DEFAULT_LOGIN_EXPIRATION_DAYS = 90;
// how long (in days) until reset password token expires
var DEFAULT_PASSWORD_RESET_TOKEN_EXPIRATION_DAYS = 3;
// Clients don't try to auto-login with a token that is going to expire within
// .1 * DEFAULT_LOGIN_EXPIRATION_DAYS, capped at MIN_TOKEN_LIFETIME_CAP_SECS.
// Tries to avoid abrupt disconnects from expiring tokens.
var MIN_TOKEN_LIFETIME_CAP_SECS = 3600; // one hour
// how often (in milliseconds) we check for expired tokens
EXPIRE_TOKENS_INTERVAL_MS = 600 * 1000; // 10 minutes
// how long we wait before logging out clients when Meteor.logoutOtherClients is
// called
And that one gets multiplied but it seems to not accept zero:
// against any DDP connection, not just one special one.
this.connection =
DDP.connect(__meteor_runtime_config__.ACCOUNTS_CONNECTION_URL);
} else {
this.connection = Meteor.connection;
}
}
_getTokenLifetimeMs() {
return (this._options.loginExpirationInDays ||
DEFAULT_LOGIN_EXPIRATION_DAYS) * 24 * 60 * 60 * 1000;
}
_getPasswordResetTokenLifetimeMs() {
return (this._options.passwordResetTokenExpirationInDays ||
DEFAULT_PASSWORD_RESET_TOKEN_EXPIRATION_DAYS) * 24 * 60 * 60 * 1000;
}
_tokenExpiration(when) {
// We pass when through the Date constructor for backwards compatibility;
// `when` used to be a number.
Have to check deeper and test though before you trust that behavior. This might otherwise be a good place to fix what you want.
It seems that every 10 minutes the tokens are checked to be removed:
// how long (in days) until a login token expires
var DEFAULT_LOGIN_EXPIRATION_DAYS = 90;
// how long (in days) until reset password token expires
var DEFAULT_PASSWORD_RESET_TOKEN_EXPIRATION_DAYS = 3;
// Clients don't try to auto-login with a token that is going to expire within
// .1 * DEFAULT_LOGIN_EXPIRATION_DAYS, capped at MIN_TOKEN_LIFETIME_CAP_SECS.
// Tries to avoid abrupt disconnects from expiring tokens.
var MIN_TOKEN_LIFETIME_CAP_SECS = 3600; // one hour
// how often (in milliseconds) we check for expired tokens
EXPIRE_TOKENS_INTERVAL_MS = 600 * 1000; // 10 minutes
// how long we wait before logging out clients when Meteor.logoutOtherClients is
// called
CONNECTION_CLOSE_DELAY_MS = 10 * 1000;
// loginServiceConfiguration and ConfigError are maintained for backwards compatibility
Meteor.startup(function () {
var ServiceConfiguration =
Package['service-configuration'].ServiceConfiguration;
Ap.loginServiceConfiguration = ServiceConfiguration.configurations;
Ap.ConfigError = ServiceConfiguration.ConfigError;
Might be interesting to look into this a bit further to see if you can use the official api. You don’t need to remove the token after all, you need the token to become invalid.
1 Like
Before this post, I have already tested setting it to 0, but sadly, when I reopened the browser, it was logged in.
Would you mind to tell me that how can we change the var EXPIRE_TOKENS_INTERVAL_MS in accounts-base.js?
Yes, I found that too. The tokens will be cleaned at all, so it seems that it will log out in every 10 minutes
Hey, you might be interested in the accounts extension that I published.