Permanent token on loopback

问题

I am building an app using Loopback API that will be consumed by an iPhone APP. There is a connection to a MySQL database where I run some queries to get some results and expose on the API.

1. The endpoints contain an ACL that will allow only authenticated users to perform any operation, including the GET ones. So basically the requests need to be done using the ?access_token query string.
2. I want to set a token that can be saved on the MySQL database and can be used "forever" on the API.

I am not sure if I am asking the right question but if this is not the way to solve this problem, what would it be?

My main point is that I need the requests to be authenticated with a token but I don't want to lose this token once it's set.

Any help is appreciated. Thanks!

回答1:

You can pass the ttl in the credential json sent by you iOS app, in this example the token will live for 60sec, just use a high value for make a token "permanent":

POST /Users/login  
{
"email":"user@email.com",
"password":"12345689",
"ttl": 60000
}

Or create a before remote method to change the ttl propertie, check this article:

LINK

回答2:

By default the max token ttl is 1 year. Thankfully Loopback has an option that will allow you to create a permanent access token:

allowEternalTokens Boolean Allow access tokens that never expire.

https://loopback.io/doc/en/lb3/Model-definition-JSON-file.html#advanced-options

If you're using the default user model, you can enable it in server/model-config.json:

"User": {
  "dataSource": "db",
  "options": {
    "validateUpsert": true,
    "allowEternalTokens": true
  }
},

Then when logging in, set ttl to -1.

Note that every time you log in (User.login) your token will be replaced with a new one. So if you want to reuse the same access token, log in only once. You can get the existing access token from the AccessToken model (or directly from the database).

If you have a custom user model, you can set allowEternalTokens directly in the model definition file. In addition, if you have a custom user model you'll also need to update the relations of the AccessToken model (either the built-in one or your custom one if you have it) to point to the custom user model.

More info on custom user/access token models here: http://loopback.io/doc/en/lb3/Authentication-authorization-and-permissions.html#preparing-access-control-models

回答3:

I set the TTL to the max 1 year but I set the created field to some time very far in the future such as 2112-10-29 00:00:00-04. This makes the token expire a century from now.

来源：https://stackoverflow.com/questions/39622211/permanent-token-on-loopback