Token lifetime expiration

[cederom]

Hello world and thank you for this amazing framework :-)

What I found missing and quite basic feature is the token lifetime expiration. That would for sure increase security. There is a created field, but expiration needs to be done by hand (i.e. like this [1]).. and that introduces local changes to authentication mechanism that could also imply security issues.

My question is why there is no token expiration mechanism implemented in the upstream?

Are there any serious reasons against it?

The implementation could only use settings defined variable and delete expired token on first incoming request. If no expiration is required that variable could be None.

Any hints welcome :-)
Tomek

[1] https://medium.com/@yerkebulan199/django-rest-framework-drf-token-authentication-with-expires-in-a05c1d2b7e05

[cederom]

• I did my own token lifetime expiration. But it would be nice to have it out-of-the-box.
• Also rolling token would be nice to have: in the token lifetime token should change every 24h for increased security.

[tomchristie]

Hi Tomek. 👋🏼

I did my own token lifetime expiration

Good stuff.
Are you able to point at anything that other folks might find useful here?

[cederom]

Sure thing :-) I can even prepare a PR so we all have this solution out of the box :-) Just a question if project is interested in this feature? :-)

[auvipy]

you can share with us what you want to contribute