Access token invalidation should be disabled by default in 2.x

[bajtos]

As described in #3048, adding automatic access token invalidation to 2.x is viewed as a breaking change by some of our users.

We should add a new feature flag (model-level setting?) to 2.x to control whether access token are invalidated or not. When this flag is not set, a warning should be printed to notify users about a potential security vulnerability.

In 3.0, we should throw an exception when this flag is set to false, so that users upgrading from 2.x to 3.0 are forced to upgrade their code to support our automatic token invalidation.

Tasks

• Make the change in loopback core - see Add app setting logoutSessionsOnSensitiveChanges [2.x] #3109
• Modify workspace template to enable this flag - see Enable "logoutSessionsOnSensitiveChanges" for LB 2.x projects loopback-workspace#410

[timlind]

Is documentation update included in the above tasks? It's the first place I went to look when it broke.

[bajtos]

@timlind Is documentation update included in the above tasks? It's the first place I went to look when it broke.

Good point! What page would you recommend to change? Would you mind contributing this change yourself? In my experience, documentation contributed by users tends to be the best one, because users know best what and where they were looking for in the docs.

[bajtos]

Actually, let's keep the documentation as part of the follow-up story #3112