Merge pull request #75 from azul/feature/token-expiry

Token expiry

2 files changed, 31 insertions, 1 deletions

diff --git a/users/app/controllers/controller_extension/token_authentication.rb b/users/app/controllers/controller_extension/token_authentication.rb
index 3e2816d..530294a 100644
--- a/users/app/controllers/controller_extension/token_authentication.rb
+++ b/users/app/controllers/controller_extension/token_authentication.rb
@@ -5,7 +5,7 @@ module ControllerExtension::TokenAuthentication
     authenticate_with_http_token do |token_id, options|
       @token = Token.find(token_id)
     end
-    @token.user if @token
+    @token.authenticate if @token
   end
 
   def logout
diff --git a/users/app/models/token.rb b/users/app/models/token.rb
index 3de0059..dd87344 100644
--- a/users/app/models/token.rb
+++ b/users/app/models/token.rb
@@ -4,11 +4,41 @@ class Token < CouchRest::Model::Base
 
   belongs_to :user
 
+  # timestamps! does not create setters and only sets updated_at
+  # if the object has changed and been saved. Instead of triggering
+  # that we rather use our own property we have control over:
+  property :last_seen_at, Time, accessible: false
+
   validates :user_id, presence: true
 
+  def authenticate
+    if expired?
+      destroy
+      return nil
+    else
+      touch
+      return user
+    end
+  end
+
+  def touch
+    self.last_seen_at = Time.now
+    save
+  end
+
+  def expired?
+    expires_after and
+    last_seen_at + expires_after.minutes < Time.now
+  end
+
+  def expires_after
+    APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
+  end
+
   def initialize(*args)
     super
     self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+    self.last_seen_at = Time.now
   end
 
   design do