How to invalidate access token?

code_af2 years ago

If a token is created for example with an expiry date of 1 year, but after a short time the user want to invalidate this specific token, how the user can do so?

Anton Tananaev2 years ago

It's not possible to invalidate tokens.

henry beltran2 years ago

what about to change the password of the user's token?

Anton Tananaev2 years ago

A token is an alternative to password, so changing the password doesn't affect the token.

masterkitanoa year ago

Anton, can you elaborate on why there's no option to invalidate the tokens?
If a token can have a very far away expiration date, its very risky to not have a way to invalidate the token, if at any moment before the token expires, it gets compromised, basically you are saying that there's no way to prevent a miss use, basically account is compromissed and there's nothing the user can do, not even changing password. So then what? the user is pretty f*d up. What should she/he do? make a new account and delete the old one or what? thanks for your explanation in advance.

stridger10 months ago

This is indeed quite a shortcoming and a security issue. Also, it appears if someone logs in with a token they can generate a token with a further expiry time. It does feel like the token system up to version 5.2 was much more fit for purpose than the new reworked one where the system neither knows what tokens exist nor has any control over them...

Anton Tananaev10 months ago

it appears if someone logs in with a token they can generate a token with a further expiry time

This is not the case if you're using the latest version.

stridger10 months ago

Thanks. I am using 5.12 and I still get a Preferences menu to generate tokens... However the tokens will be the same if I try to generate past the expiry of the original token. Is that what you mean? I guess that solves this security problem, but is rather confusing for the end user. Why can the Tokens menu not be removed altogether if one logs in with a token? And revoking tokens also seems essential if for example a token is leaked somewhere etc.

Could you perhaps explain what led to this redesign of the token system, which used to work perfectly fine before 5.3 and could have easily been extended with expiry dates if that was the driver?

Anton Tananaev10 months ago

We need to support tokens for a lot of different things now. For example mobile app login, notifications etc. So one single user controlled token doesn't work for it. That was the main reason.

stridger10 months ago

I see. Thank you, that makes sense. Perhaps in the future something can be added to allow invalidation and remove the menu for users who login with token to issue other tokens (even if only just for ones within the validity period of the original token).

Anton Tananaev10 months ago

I recommend submitting a feature request or if there's already one comment on it to express interest.

stridger10 months ago

OK!

Paul M Ash7 months ago

In the newest version of Traccar is it possible to invalidate tokens now? I provided an access token to a user account that Is designed to be used very similar to stridgers case. Unfortunately, accidentally, the date that I provided was too far out. The premise for using the feature this way is privacy. Allowing people the ability to not have to log in to an account and provide information. I look forward to an update allowing token management. I've used Traccar for many years now and appreciate all the hard work.

Anton Tananaev7 months ago

Not possible to invalidate.

Paul M Ash7 months ago

Is this something you're considering?