Jump to content
Sign in to follow this  
Followers 3
barefootguru

Feature request: don't expire access token after 90 days

Recommended Posts

I run 4 apps/programs/sites which access GC via the API.

  1. It's a nuisance and time consuming to have to reauthorise them repeatedly.
  2. It decreases security:  rather than entering my (long random) password once on my phone, I have to save it in a note in case it expires when I'm away from home.

Share this post


Link to post

You could (should) use a password manager like KeePass or 1Password to store your passwords securely. This security deficiency isn't due to the API token expiration but rather how you choose to handle it.

Share this post


Link to post

I renew my token in GSAK and GDAK without any "hassle", it's just a few clicks about 4 times a year. No sweat.

 

  • Upvote 1

Share this post


Link to post

I visit Project-GC on 3 devices, and have Cachly running on 2.  Cachly now utilises Keychain so that’s fixed the password security, but that still leaves a multi-screen reauthorisation I have to go through twice a month — sometimes out in the field.

 

No other website I use requires incessant babysitting to keep my access tokens valid.  It’s good it doesn’t bother you guys, but it’s harder when you realise it doesn’t have to be like this.

  • Upvote 1

Share this post


Link to post

The access token renewal process was instituted due to abuse.  This is why we can't have nice things.

  • Upvote 1

Share this post


Link to post

What will happen when API2 is launched officially? In GSAK I see "token is older than 1 hour > refreshing token". Does that mean token refresh is going to be automated (even more than in GSAK)?

I suppose that when using the API the token can be checked (it's already checked for validity)  and it's lifetime extended if membership type is still the same?

 

 

 

 

Share this post


Link to post
On ‎8‎/‎8‎/‎2018 at 3:44 AM, on4bam said:

What will happen when API2 is launched officially? In GSAK I see "token is older than 1 hour > refreshing token". Does that mean token refresh is going to be automated (even more than in GSAK)?

I suppose that when using the API the token can be checked (it's already checked for validity)  and it's lifetime extended if membership type is still the same?

 

 

 

 

I believe that apps will be able to renew the token without user intervention but am not positive on that as I have yet to implement the new user authorization in LonelyCache. From the documentation:

Quote

When the access token expires, the app can make a POST call into the OAuth service's token endpoint to exchange the refresh_token for a new access token without any additional authorize calls.

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 3

×