Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Offer the user a choice to invalidate access credentials when changing password #3178

Open
camallen opened this issue Sep 24, 2019 · 0 comments
Open

Offer the user a choice to invalidate access credentials when changing password #3178

camallen opened this issue Sep 24, 2019 · 0 comments
Labels
enhancement

Comments

@camallen
Copy link
Contributor

If a user changes their password devise will invalidate the session in the cookie as it relies on the current user password. However our UI's use doorkeeper access tokens after session login, these are valid for 2 hours, a fairly large time window to make account changes.

We should offer the user the choice to invalidate all existing doorkeeper API access tokens when they change / reset their password. Revoking these tokens would mean any logged in session would immediately become invalid. Invalidating these tokens would ensure no other token holders could make account changes within 2 hours.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@camallen