[openstreetmap/openstreetmap-website] auto-delete oauth tokens after X time (#1201)

Tom Hughes notifications at github.com
Mon Apr 11 15:45:26 UTC 2016

Well to start with I don't believe we record when tokens are used, so we only know when they were created, not when they were last used.

Even if we did, how long should we wait? After how many months or years is it OK to make somebody reauthenticate? How many users will get annoyed and leave if we do that? How many will get annoyed and leave if we don't? These are all difficult questions with no good answer, but as there is little cost to keeping extra tokens around it seems better to err on the side of keeping them.

As tokens are associated with an account deleting them won't stop us tracking you, because we will still know when you create new tokens. Being able to track the edits you make is exactly why we make you authenticate after all!

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20160411/316a2e27/attachment.html>

More information about the rails-dev mailing list