We encourage Stream users to set up token expiration if their architecture allows it. It is part of application security best practices and can helps with complete use-case such as user deactivation (vs deletion).
The idea is for users to connect to the API using user session token that has an expiration time. At the expiration time, the user will lose access to the API.
1. To generate token with expiration, you should use :
-
- JS Client : JWTUserSessionToken such as -
JWTUserSessionToken(apisecret, user_id, extraData, {expiresIn: '2 days'})
-
- .NET Client :
var extra = new Dictionary<string, object>(){{"exp",date}..};
token = client.CreateUserToken(user_id, extra));)
2. You will also need to enable token expiration when instantiating the client :
- JS Client :
//client-side
const client = connect('api_key', token_generated, 'app_id', {
expireTokens: true,
});
//server-side
const client = connect('api_key', 'api_secret', {
expireTokens: true,
});
- .NET Client :
_client = new Stream.StreamClient(
Environment.GetEnvironmentVariable("STREAM_API_KEY"),
Environment.GetEnvironmentVariable("STREAM_API_SECRET"),
new Stream.StreamClientOptions()
{
ExpireTokens = true,
});
When disabling a user, you would only have to prevent your backend to generate any new token for this user. At the expiration time, the user will lose access to the API, however its data will still be there.
Please keep in mind that you will also have to implement a token refreshing logic for users that aren't disabled and should receive a new token after expiration.
Comments
0 comments
Please sign in to leave a comment.