Describe access-token invalidation #258
Conversation
| `"logoutSessionsOnSensitiveChanges`" to `true` in `server/config.json` file. | ||
|
|
||
| {% include tip.html content=" | ||
| If your application implements an own solution for access-token invalidation, then set `logoutSessionsOnSensitiveChanges` to `false`, to prevent interference between the built-in invalidation and your custom solution. This will also disable the warning. However, note that this flag is not available in LoopBack 3.x. |
There was a problem hiding this comment.
"If your application implements an own solution for access-token invalidation.." > "If your application implements access-token invalidation itself .. "
| sessions, one has to enable context propagation via "options" argument | ||
| in the settings of your User model. This setting cannot be changed in the | ||
| built-in User model, the application must configure a custom model [extending | ||
| the built-in `User` model](Extending-built-in-models.html). |
There was a problem hiding this comment.
"You cannot change this setting in the built-in User model. Instead, configure a custom model that extends the built-in User model.
| When user's account is compromised, for example when their password is leaked, | ||
| or the attacker gains access to their email account, the user need means for | ||
| recovering from the situation and preventing the attacker from continued use | ||
| of the services under the attacked user's name. |
There was a problem hiding this comment.
"When a user's account is compromised (for example their password is leaked or the attacker gains access to their email account), the app needs to be able to prevent continued use of the hijacked account."
review edits
review edits.
review edits.
|
I went ahead and edited the files in the branch. Now LGTM! |
@crandmck awesome 🎉 thank you! |
@crandmck please review, feel free to make any edits directly
See also strongloop/loopback#3112