I just noticed the token returned is always the same. I expected to get a different token back all the time which expires after some time. If somebody spies out this token all the users data is exposed which is a serious security issue.
Are there any plans to create tokens with an expiry in SF?
Is there a way to kick off the generation of a new token for a user?
I looked for a mitigation of the security issue by regenerating the token on regular base. But if the token is generated from the password this doesn’t work
Makes sense SF is smart enough to generate a new token when there doesn’t exist a token for a user in the DB.
I just checked the DB and found two tables:
api2_token and api2_tokenv2 which have a different schemas. Both have a key. Do you know why there exist two tables?
.schema api2_token
CREATE TABLE IF NOT EXISTS “api2_token” (
“key” varchar(40) NOT NULL PRIMARY KEY,
“user” varchar(255) NOT NULL UNIQUE,
“created” datetime NOT NULL
);
.schema api2_tokenv2
CREATE TABLE IF NOT EXISTS “api2_tokenv2” (
“key” varchar(40) NOT NULL PRIMARY KEY,
“user” varchar(255) NOT NULL,
“platform” varchar(32) NOT NULL,
“device_id” varchar(40) NOT NULL,
“device_name” varchar(40) NOT NULL,
“platform_version” varchar(16) NOT NULL,
“client_version” varchar(16) NOT NULL,
“last_accessed” datetime NOT NULL,
“last_login_ip” char(39), wiped_at datetime DEFAULT NULL, created_at datetime NOT NULL DEFAULT ‘1970-01-01 00:00:00’,
UNIQUE (“user”, “platform”, “device_id”)
);