3

I have implemented a simple-ember-auth on the front and oauth2-server on the back, using password and refresh_token grants. When the authorisation token is about to expire (this time is set on the server), simple-ember-auth issues a refresh token request, and gets a new authorisation token.

That's cool, however, I need to automatically invalidate the session after a certain inactivity time. Currently, OAuth2PasswordGrantAuthenticator seems to issue the token refresh request ad infinitum.

I would welcome any suggestions or thoughts how to implement this.

eight
  • 167
  • 2
  • 13
  • Why not just call `.invalidate()` yourself? – Lux Apr 17 '16 at 00:09
  • @Lux I would gladly do that. How do I detect inactivity ? – eight Apr 17 '16 at 00:20
  • Did you considered to disable autorefresh by setting [`refreshAccessTokens: false`](https://ember-simple-auth.com/api/classes/OAuth2PasswordGrantAuthenticator.html). – jelhan Apr 17 '16 at 00:27
  • @eight thats the problem, you can't. Or well the question is: what is activity for you? Mouse movement? clicks? transitions? But this is probably a more general JS question, not an `ember` or `ember-simple-auth` question: What is inactivity in a browser and how to detect it? – Lux Apr 17 '16 at 02:25
  • @jelhan: I started with that scenario: in it, the user is kicked off regardless of her activity. – eight Apr 17 '16 at 04:16

1 Answers1

4

As @Lux mentioned in comment you have to implement a user activity detection. You could observe events like keypress, mousemove, scroll etc. on window element therefore. If it's not about activity but just if the page is on focus you could consider Page Visibilty Api. If it's more about interaction with your application perhaps observe ember events like transitions.

Use Ember.debounce to call OAuth2PasswordGrantAuthenticator invalidate() method only if there wasn't any user activity.

Maybe best implemented in a Application Instance Initializers.

Something like this (not tested):

// app/instance-initializers/logout-if-inactive.js
export function initialize(applicationInstance) {
  var session = applicationInstance.lookup('service:session');
  var logoutAfter = 15 * 60 * 1000 // in milliseconds
  var logout = function() {
    Ember.run.debounce(session, 'invalidate', logoutAfter);
  }
  window.onmouseevent = logout;
  window.onkeypress = logout;
}

export default {
  name: 'logout-if-inactive',
  after: 'session',
  initialize: initialize
};
jelhan
  • 6,149
  • 1
  • 19
  • 35
  • This worked for me I just had to change `after: 'session'` to `after: 'ember-simple-auth'`. – Bill Brower Mar 21 '17 at 20:37
  • Just a quick question : Does it works when two tabs are open ? I suppose the user will be kicked after 15 minutes if he don't click on the other tab, right ? – Dougui Apr 27 '17 at 22:50
  • Suggested solution does not support multiple tabs yet. Therefore activity state must be shared between windows. You should use same technique as for session store to avoid edge cases. Don't call `session.invalidate` directly in debounce. Use another function which first checks that there wasn't any activity from another tab. – jelhan Apr 28 '17 at 09:10