5 files changed, 32 insertions, 23 deletions

diff --git a/users/app/controllers/controller_extension/token_authentication.rb b/users/app/controllers/controller_extension/token_authentication.rb
index 3e2816d..530294a 100644
--- a/users/app/controllers/controller_extension/token_authentication.rb
+++ b/users/app/controllers/controller_extension/token_authentication.rb
@@ -5,7 +5,7 @@ module ControllerExtension::TokenAuthentication
     authenticate_with_http_token do |token_id, options|
       @token = Token.find(token_id)
     end
-    @token.user if @token
+    @token.authenticate if @token
   end
 
   def logout
diff --git a/users/app/controllers/email_aliases_controller.rb b/users/app/controllers/email_aliases_controller.rb
deleted file mode 100644
index c90432f..0000000
--- a/users/app/controllers/email_aliases_controller.rb
+++ /dev/null
@@ -1,12 +0,0 @@
-class EmailAliasesController < UsersBaseController
-  before_filter :fetch_user
-
-  def destroy
-    @alias = @user.email_aliases.delete(params[:id])
-    if @user.save
-      flash[:notice] = t(:email_alias_destroyed_successfully, :alias => bold(@alias))
-    end
-    redirect_to edit_user_email_settings_path(@user) #TODO: this path doesn't exist. will want to add path for identities controller
-  end
-
-end
diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index d6c455b..0494b51 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -8,16 +8,6 @@ class SessionsController < ApplicationController
     end
   end
 
-  def create
-    logout if logged_in?
-    authenticate!
-  end
-
-  def update
-    authenticate!
-    render :json => session.delete(:handshake)
-  end
-
   def destroy
     logout
     redirect_to root_path
diff --git a/users/app/controllers/v1/users_controller.rb b/users/app/controllers/v1/users_controller.rb
index b271152..01a1a2f 100644
--- a/users/app/controllers/v1/users_controller.rb
+++ b/users/app/controllers/v1/users_controller.rb
@@ -8,6 +8,7 @@ module V1
 
     respond_to :json
 
+    # used for autocomplete for admins in the web ui
     def index
       if params[:query]
         @users = User.by_login.startkey(params[:query]).endkey(params[:query].succ)
diff --git a/users/app/models/token.rb b/users/app/models/token.rb
index 3de0059..dd87344 100644
--- a/users/app/models/token.rb
+++ b/users/app/models/token.rb
@@ -4,11 +4,41 @@ class Token < CouchRest::Model::Base
 
   belongs_to :user
 
+  # timestamps! does not create setters and only sets updated_at
+  # if the object has changed and been saved. Instead of triggering
+  # that we rather use our own property we have control over:
+  property :last_seen_at, Time, accessible: false
+
   validates :user_id, presence: true
 
+  def authenticate
+    if expired?
+      destroy
+      return nil
+    else
+      touch
+      return user
+    end
+  end
+
+  def touch
+    self.last_seen_at = Time.now
+    save
+  end
+
+  def expired?
+    expires_after and
+    last_seen_at + expires_after.minutes < Time.now
+  end
+
+  def expires_after
+    APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
+  end
+
   def initialize(*args)
     super
     self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+    self.last_seen_at = Time.now
   end
 
   design do