Token created with REST call /api2/auth-token/ does not expire


#1

I just noticed the token returned is always the same. I expected to get a different token back all the time which expires after some time. If somebody spies out this token all the users data is exposed which is a serious security issue.

  1. Are there any plans to create tokens with an expiry in SF?
  2. Is there a way to kick off the generation of a new token for a user?

#2

Changing the password invalidates all existing tokens.


#3

I looked for a mitigation of the security issue by regenerating the token on regular base. But if the token is generated from the password this doesn’t work :tired_face:

Looking for an answer for my question 1 now :roll_eyes:


#4

I don’t think it is generated from the password. You can delete it from the database manually.


#5

Makes sense SF is smart enough to generate a new token when there doesn’t exist a token for a user in the DB.

I just checked the DB and found two tables:
api2_token and api2_tokenv2 which have a different schemas. Both have a key. Do you know why there exist two tables?

.schema api2_token
CREATE TABLE IF NOT EXISTS “api2_token” (
“key” varchar(40) NOT NULL PRIMARY KEY,
“user” varchar(255) NOT NULL UNIQUE,
“created” datetime NOT NULL
);
.schema api2_tokenv2
CREATE TABLE IF NOT EXISTS “api2_tokenv2” (
“key” varchar(40) NOT NULL PRIMARY KEY,
“user” varchar(255) NOT NULL,
“platform” varchar(32) NOT NULL,
“device_id” varchar(40) NOT NULL,
“device_name” varchar(40) NOT NULL,
“platform_version” varchar(16) NOT NULL,
“client_version” varchar(16) NOT NULL,
“last_accessed” datetime NOT NULL,
“last_login_ip” char(39), wiped_at datetime DEFAULT NULL, created_at datetime NOT NULL DEFAULT ‘1970-01-01 00:00:00’,
UNIQUE (“user”, “platform”, “device_id”)
);


#6

I think api2_token was there before and is not removed because it would unsync all devices using an old token.