2019-08-14 09:48:44 +00:00
|
|
|
DeviseTokenAuth.setup do |config|
|
|
|
|
# By default the authorization headers will change after each request. The
|
|
|
|
# client is responsible for keeping track of the changing tokens. Change
|
|
|
|
# this to false to prevent the Authorization header from changing after
|
|
|
|
# each request.
|
|
|
|
config.change_headers_on_each_request = false
|
|
|
|
|
|
|
|
# By default, users will need to re-authenticate after 2 weeks. This setting
|
|
|
|
# determines how long tokens will remain valid after they are issued.
|
2021-06-10 09:34:03 +00:00
|
|
|
config.token_lifespan = 2.months
|
2019-08-14 09:48:44 +00:00
|
|
|
|
chore: Security Improvements to the API (#2893)
- Devise auth tokens are reset on password update
- Avatar attachment file type is limited to jpeg,gif and png
- Avatar attachment file size is limited to 15 mb
- Widget Message attachments are limited to types ['image/png', 'image/jpeg', 'image/gif', 'image/bmp', 'image/tiff', 'application/pdf', 'audio/mpeg', 'video/mp4', 'audio/ogg', 'text/csv']
- Widget Message attachments are limited to 40Mb size limit.
2021-09-01 09:38:05 +00:00
|
|
|
# By default, old tokens are not invalidated when password is changed.
|
|
|
|
# Enable this option if you want to make passwords updates to logout other devices.
|
|
|
|
config.remove_tokens_after_password_reset = true
|
|
|
|
|
2019-08-14 09:48:44 +00:00
|
|
|
# Sets the max number of concurrent devices per user, which is 10 by default.
|
|
|
|
# After this limit is reached, the oldest tokens will be removed.
|
|
|
|
# config.max_number_of_devices = 10
|
|
|
|
|
|
|
|
# Sometimes it's necessary to make several requests to the API at the same
|
|
|
|
# time. In this case, each request in the batch will need to share the same
|
|
|
|
# auth token. This setting determines how far apart the requests can be while
|
|
|
|
# still using the same auth token.
|
|
|
|
# config.batch_request_buffer_throttle = 5.seconds
|
|
|
|
|
|
|
|
# This route will be the prefix for all oauth2 redirect callbacks. For
|
|
|
|
# example, using the default '/omniauth', the github oauth2 provider will
|
|
|
|
# redirect successful authentications to '/omniauth/github/callback'
|
|
|
|
# config.omniauth_prefix = "/omniauth"
|
|
|
|
|
|
|
|
# By default sending current password is not needed for the password update.
|
|
|
|
# Uncomment to enforce current_password param to be checked before all
|
|
|
|
# attribute updates. Set it to :password if you want it to be checked only if
|
|
|
|
# password is updated.
|
|
|
|
# config.check_current_password_before_update = :attributes
|
|
|
|
|
|
|
|
# By default we will use callbacks for single omniauth.
|
|
|
|
# It depends on fields like email, provider and uid.
|
|
|
|
# config.default_callbacks = true
|
|
|
|
|
|
|
|
# Makes it possible to change the headers names
|
|
|
|
# config.headers_names = {:'access-token' => 'access-token',
|
|
|
|
# :'client' => 'client',
|
|
|
|
# :'expiry' => 'expiry',
|
|
|
|
# :'uid' => 'uid',
|
|
|
|
# :'token-type' => 'token-type' }
|
|
|
|
|
|
|
|
# By default, only Bearer Token authentication is implemented out of the box.
|
|
|
|
# If, however, you wish to integrate with legacy Devise authentication, you can
|
|
|
|
# do so by enabling this flag. NOTE: This feature is highly experimental!
|
|
|
|
# config.enable_standard_devise_support = false
|
|
|
|
end
|