Password needed for deleting token?


#1

I noticed that it’s required for the user to supply their username password to delete a token. I’m building an app that will allow the user to login/logout. Right now on login I’m only storing their access token (after authenticating with their username/password). When they logout I want to destroy that token. But according to the docs, I need their username and password.

If it’s assumed that the access token is totally secure and unguessable, then why do we need additional credentials to delete the token? It seems strange to ask a user for their credentials again in order to logout.


#2

Thing should change as Spark :cloud: evolves.

1.) The concept now is that the devices are tagged to your account and the control of the tokens are by the user

2.) The tokens expire every 90 days

3.) Removal requiring username/password sound appropriate since you don’t want people to revoke your access_tokens without any verification. Of course, i understand having a mechanism to do so on the user side with an access_token would be cool!

I’m imagining something like a 1 time release using the same access_token to revoke the access token.

  Example 

curl https://api.spark.io/v1/access_tokens/121e21ex1ex1x?access_token=121e21ex1ex1x -X DELETE


Maybe @Dave has more idea :wink:


#3

Heya @kennethlimcp,

Oh, that’s a fun idea! This is probably silly, but I wonder though if letting a token be used to delete itself would create an opportunity for denial attacks? Mostly silly because someone needs the token to perform that attack, and by that point revoking the token is the least of your worries. :slight_smile:

I’ll open an issue for this idea!

Thanks,
David


#4

Since the token can be used by itself to perform all actions this seems like a hinderance in the logout process to ask the user for there own credentials again to logout… I have yet to see a modern web app that does this. Of course, the alternative would just be to restart the session and let the user log in with a new session, but having many login tokens also seems like poor practice.

I’m currently storing the login token in localstorage and remove it upon failed login authentication. I’d like to use the remove login token function on logout, but there’s no way I would ask users for there credentials to logout. And storing username and password is definitely a security risk on the client.

Would like to see username and password removed from the DELETE request as well. If it is a security risk, I’d argue that the whole sdk is a security risk then, since a majority of functions only require the token


#5

As a product creator, I’d also love to be able to get a list of a customer’s access tokens and choose to delete a selection of some.
Use case: I’m using two-legged authentication. If a customer forgets their password, or is otherwise trying to change their password, there is a way to do that with our servers and app. However, there doesn’t seem to be a way to revoke other Particle access tokens previously created for the customer, both from our side as the product creator and from their side since their particle account has no password and is under our organization. This is especially useful if they are changing their password because it was compromised or shared and they want to prevent another logged in party from controlling their device.
This seems like a rather important feature for product creators; @Dave what do you think?


#6

Thanks for the feedback, I agree this would be a very useful feature, and I’ll pass it along to the team.

Thanks!
David


#7

@Dave, as a patch, I decided in the meantime to start keeping track of issued access tokens in our database, with the goal of using

curl -X DELETE https://api.particle.io/v1/access_tokens \
   -d access_token=123abc

to delete any if needed. However, I get

{"ok":false,"error":"Not Found"}

even though I can use the same token to list devices, etc. Does this endpoint only work for non-customer access tokens?
Thanks!


#8

Hi @carlosr,

Hmm, yes I bet you’re right. I’ll bring this up with the team again.

Thanks,
David


#9

Hi Dave.

As an extra security measure in my app, I thought I might use the javacript SDK deleteCurrentAccessToken function during customer logout.

However, I am an idiot.

I elected to delete the token from my local storage before trying to use it to do the self-destruct function, above. So, when you do it in the right order, it works perfectly.

monkey.