Permanent token on loopback

Question

I am building an app using Loopback API that will be consumed by an iPhone APP. There is a connection to a MySQL database where I run some queries to get some results and expose on the API.

The endpoints contain an ACL that will allow only authenticated users to perform any operation, including the GET ones. So basically the requests need to be done using the ?access_token query string.
I want to set a token that can be saved on the MySQL database and can be used "forever" on the API.

I am not sure if I am asking the right question but if this is not the way to solve this problem, what would it be?

My main point is that I need the requests to be authenticated with a token but I don't want to lose this token once it's set.

Any help is appreciated. Thanks!

Possible duplicate: https://stackoverflow.com/q/32738285/399105 — bmaupin, May 30 '18 at 17:40

score 2 · Answer 1 · answered May 30 '18 at 17:44

By default the max token ttl is 1 year. Thankfully Loopback has an option that will allow you to create a permanent access token:

allowEternalTokens Boolean Allow access tokens that never expire.

https://loopback.io/doc/en/lb3/Model-definition-JSON-file.html#advanced-options

If you're using the default user model, you can enable it in server/model-config.json:

"User": {
  "dataSource": "db",
  "options": {
    "validateUpsert": true,
    "allowEternalTokens": true
  }
},

Then when logging in, set ttl to -1.

Note that every time you log in (User.login) your token will be replaced with a new one. So if you want to reuse the same access token, log in only once. You can get the existing access token from the AccessToken model (or directly from the database).

If you have a custom user model, you can set allowEternalTokens directly in the model definition file. In addition, if you have a custom user model you'll also need to update the relations of the AccessToken model (either the built-in one or your custom one if you have it) to point to the custom user model.

More info on custom user/access token models here: http://loopback.io/doc/en/lb3/Authentication-authorization-and-permissions.html#preparing-access-control-models

Ismael Di Vita · Accepted Answer · 2016-09-22T14:24:22.873

1

You can pass the ttl in the credential json sent by you iOS app, in this example the token will live for 60sec, just use a high value for make a token "permanent":

POST /Users/login  
{
"email":"user@email.com",
"password":"12345689",
"ttl": 60000
}

Or create a before remote method to change the ttl propertie, check this article:

LINK

edited Sep 22 '16 at 14:24

answered Sep 22 '16 at 14:18

Ismael Di Vita

1,806
1
20
35

Thanks Ismael! I used this solution. The maximum you can set is 1 year though. Thank you ver much! – rafaelferreir4 Sep 23 '16 at 18:27

score 1 · Answer 3 · answered Feb 14 '17 at 21:34

1

I set the TTL to the max 1 year but I set the created field to some time very far in the future such as 2112-10-29 00:00:00-04. This makes the token expire a century from now.

answered Feb 14 '17 at 21:34

Joseph Persico

602
7
20

Permanent token on loopback

3 Answers3

Linked