Active job token expiring integration

[caulfield]

Hi.

After rails 4.2 support we can refactor this code and use active job framework
https://github.com/lynndylanhurley/devise_token_auth/blob/master/app/models/devise_token_auth/concerns/user.rb#L29

I think this feature is complex and I want to discuss implementations.

The idea is to add configuration variable Devise.config.use_active_job_for_token_expiring and if this value truthy we will add new delayed job (defined by user and client_id) after token creating

Another one is check ActiveJob::Base.queue_adapter and add this behaviour automatically.

Any thoughts about it and/or new ideas are welcome

[lynndylanhurley]

@caulfield - can you talk about the advantages of using jobs for this? Also, are there any downsides to the current system?

These are some of the thoughts I had when building out the current implementation:

Advantages of the current system

• The performance hit is nearly zero.
• The current method is only a few lines of very simple logic.
• No additional setup required.

Disadvantages of using jobs

• Will need to iterate over all users in the db to check their tokens' expiry. This will slow down the db while the job is running. (The current system only runs on records that are already writing to the db anyway.)
• May require additional setup

[caulfield]

Thank you @lynndylanhurley for great response.

The main goal is not to do extra queries. user record can be updated often, so each query we will deserialize tokens and find expired. so we will get big perfomance gain.

Will need to iterate over all users in the db to check their tokens' expiry

I think you don't understand. I mean something about it:

# resource model
def create_new_auth_token
...
  TokensJob.set(wait_until: expiry_time).perform_later(self, client_id)
end

# in TokensJob
def perform(resource, client)
  resource.delete_token(client)
  resource.save!
end

So, if active job is not set up, user get error(example for resque)

NotImplementedError, "To be able to schedule jobs with Resque you need the resque-scheduler gem. Please add it to your Gemfile and run bundle install"

Currently I'm not sure how to configure gem and select default setting way

[lynndylanhurley]

Just to clarify, a token's lifecycle looks like this:

1. The client makes a request using a valid token.
2. The server compares the token to user's token hash. If the token exists in the hash, and it has not expired, the server allows the request to continue.
3. At the end of the request, a new token is generated for the user. This requires a db write, and it's at this time that the user's expired tokens are deleted.
4. The new token is included in the request's response headers.
5. The client reads the new token from the response headers.
6. The client saves the new token for use with the next request.

Because step 3 already requires a trip to the DB, no extra queries are made.

Also note that the destroy_expired_tokens method is not necessary. The only purpose of the method is to prevent the tokens hash from filling up with dead tokens. Once a token has expired, it can no longer be used, even if it's still in the tokens hash.

[booleanbetrayal]

Closing this. Can re-open if people feel passionately about this, but there's been some recent logic to reduce # of queries during user resource load, etc.