[openstreetmap/openstreetmap-website] Display authenticatoin-related timestamps on Oauth2 tab (Issue #4494)
Matija Nalis
notifications at github.com
Wed Jan 24 01:42:18 UTC 2024
> As long as our tokens are not expiring, that information would always reflect the very first time a token has been requested. With OAuth1.0a you might see multiple entries for an app, in case they're not properly persisting the token locally, and need to request a new token.
I understand that (and have seen it in practice, with several pages worth of old Oauth1 that I've cleaned up recently, while Oauth2 remains clean).
However I assume that when I revoke an Oauth2 app, it would disappear (from the list and from the existence) along with its token, and if I decide to grant access to that app again in the future, then it would generate new (different) token, and it would have a new timestamp too, right?
If that assumption is correct, then I would find that timestamp valuable (e.g. if device with stored tokens was found to be compromised at some point it time I'd like to know what tokens were active, _or_ one might just want to expire their tokens manually after some time as a good security hygiene [as auto expiration is not supported], _or_ it might be useful just from readonly/historical/time-orienteering way e.g. _"I started using this app just after doing X, so X happened around there"_, etc.)
>> timestamp when that authentication token was last used
> That's not possible. Validating tokens is a read only database operation, i.e. a last used timestamp is not stored anywhere.
Ah, that's too bad. It would've been quite useful though, to spot unauthorized accesses and other things. But what can one do...
Can we have just the first (i.e. token creation) timestamp then?
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4494#issuecomment-1907208452
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/4494/1907208452 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240123/9abfbc93/attachment.htm>
More information about the rails-dev
mailing list