Setting up Permanent Session Token in DF 2.0


#1

Hi,

As mentioned over multiple posts in the forums that DF 2.0 will support Permanent Session Tokens. I decided to setup the public beta on a local VM. I have been able to install & safely copy my database(s) from 1.9.x to 2.0.

However, I feel there is a lack of documentation for 2.0, at the moment. My experience in programming Web technologies is limited, my background being mostly C# WinForms applications. Currently trying out an AngularJS Web Application + DF as a back end for a proof of concept application.

I would really appreciate if anyone could guide me with setting up DF 2.0 with Permanent Session Tokens.

I understand that 2.0 is still in beta and shouldn’t be used for production apps, this is just a proof of concept and not a production application.


Session token previously blacklisted on refresh
#2

You can set in your .env DF_CACHE_TTL or put true as I put in “allow_forever_sessions”

http://monosnapmauro.s3.amazonaws.com/monosnapmauro/samples4__rootdsp_optdreamfactoryconfig__ssh__20454_2015-09-26_11-07-19.png


#3

Hi, I have the same problem. But the solution of Mauro_Delazeri didn’t do. I guess there is bug.
As a very hardcore solution that you could use at your own risk is to comment out some lines at
/vendor/tymon/jwt-auth/src/Validators/PayloadValidator.php

protected function validateTimestamps(array $payload)
{
    if (isset($payload['nbf']) && Utils::timestamp($payload['nbf'])->isFuture()) {
        throw new TokenInvalidException('Not Before (nbf) timestamp cannot be in the future', 400);
    }

    if (isset($payload['iat']) && Utils::timestamp($payload['iat'])->isFuture()) {
        throw new TokenInvalidException('Issued At (iat) timestamp cannot be in the future', 400);
    }
    //THIS MAKES TOKENS LIVE FOREVER
    //if (Utils::timestamp($payload['exp'])->isPast()) {
    //    throw new TokenExpiredException('Token has expired');
    //}

    return true;
}

For those who is interesed in details:
Looking through the code I found out that duration parameter has no effect at all (DreamFactory\Core\Resources\UserSessionResource.php:handleLogin), it is not processed. But there is “remember_me” param that eventually is passed as “$forever” param to vendor/dreamfactory/df-core/src/Utility/JWTUtilities.php:makeJWTByUser.

Then a payload is created with ‘exp’ default claim and ‘forever’ custom claim among others and finally save the token_map to DB. But the saving method looses the ‘forever’ claim. It saves value and ‘exp’, but not ‘forever’.


#4

@HJoshi, while complete 2.0 documentation is still in progress, here is how you use forever session in DF 2.0.

By default forever session is turned off. To enable it add the following environment variable in the .env file.

DF_ALLOW_FOREVER_SESSIONS=true

Make sure it is turned on by calling GET http://your-url/api/v2/system/environment API. You should see

allow_forever_sessions:true
in that response. Now you are all set for permanent session. To get a forever JWT (token), make the login API call with remember_me: true
POST http://your-url/api/v2/user/session

Request Body:

{ "email":"user@example.com", "password":"secret", "remember_me":true }

Now, here is the important thing to understand, the token you will get back is a forever token but it will expire after the default TTL (time-to-live) set in .env file (DF_JWT_TTL=60). However, you can always refresh that (forever) when it expires with the following API call.

PUT http://your-url/api/v2/user/session

You can pass the old expired token in request header (X-DreamFactory-Session-Token) or on url query string (?session_token)

@MaxY, I would not comment out that piece of code because then no token will ever expire. It is absolutely not safe. The idea of forever token is not to kill the expiration but rather to allow the token to refresh forever. Refreshing token doesn’t require user to re-authenticate. You can find more about JWT here http://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs


#5

@aislam

“I would not comment out that piece of code because then no token will ever expire. It is absolutely not safe.”

Yes, I understand. I would not either :smile:

Ah, that’s how it works! Got it. Thanks. I should have spent more time for research.


#6

I have set df_allow_forever_sessions=true in dreamfactory/htdocs/.env file but I do not get the property back when calling system/environment api. What am I doing wrong?


#7

It’s

DF_ALLOW_FOREVER_SESSIONS=true
All upper case. Also, which version of bitnami image you are using?

If it still doesn’t work using that config in .env file then you may have the older beta version. In that case make sure you have the the following line in …/htdocs/config/df.php file.

'allow_forever_sessions'       => env('DF_ALLOW_FOREVER_SESSIONS', false),

Location of the .env file for setting the session duration df 2.1.1
#8

Hi,

I would also like to implement this. Where can I find the .env file? I am using Dreamfactory 2.0 through Bitnami in AWS.

Thanks,
Allen


#9

Bitnami AWS images have the Bitnami stack installed in /opt/bitnami
This makes the path to the DreamFactory portion of the stack /opt/bitnami/apps/dreamfactory/htdocs


#10

In case anyone is like me and is running dreamfactory on Openshift, the path to get to the .env file is ${OPENSHIFT_HOMEDIR}/app-root/runtime/repo/df.

I simply had to ssh into the application, navigate to the file, and then was able to add the line DF_ALLOW_FOREVER_SESSIONS=true to the .env file using VIM (or your editor of choice).

After doing this went to the api docs as mentioned above and confirmed that the setting was updated.


#11

Thanks for the post @aislam


#12

I have changed in df.php file

‘allow_forever_sessions’ => env(‘DF_ALLOW_FOREVER_SESSIONS’, true),

but on http://127.0.0.1:8080/api/v2/system/environment allow_forever_sessions is still false after several restart.

version 2.0.4

any ideeas ? Thx


#13

In your htdocs folder, from the command line, try running

/path/to/php artisan config:clear
/path/to/php artisan cache:clear

Then restart Bitnami


#14

that was it. I made forever session by manual editing the config.php file before you replied.

It should be added to the wiki.
Thank you.

htdocs -> being in apps/dreamfactory/htdocs

Terminal :
VNV-Mac:htdocs nvasilescu$ /Applications/dreamfactory-2.0.4-2/php/bin/php artisan config:clear
Configuration cache cleared!
VNV-Mac:htdocs nvasilescu$ /Applications/dreamfactory-2.0.4-2/php/bin/php artisan cache:clear
Application cache cleared!

Restart all services. Check -> http://127.0.0.1:8080/api/v2/system/environment


#15

I have again, the same problem on an azure image.

I changed in df.php allow_foreserver_sessions to true .

did run :

php artisan config:clear
php artisan cache:clear

~/apps/dreamfactory/htdocs$ sudo service bitnami restart
/opt/bitnami/config/monit/conf.d/nginx.conf:3: Warning: Program does not exist: ‘/opt/bitnami/nginx/scripts/ctl.sh’
/opt/bitnami/config/monit/conf.d/nginx.conf:4: Warning: Program does not exist: '/opt/bitnami/nginx/scripts/ctl.sh’
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
160404 11:30:32 mysqld_safe mysqld from pid file /opt/bitnami/mysql/data/mysqld.pid ended
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
160404 11:30:37 mysqld_safe Logging to ‘/opt/bitnami/mysql/data/mysqld.log’.
160404 11:30:37 mysqld_safe Starting mysqld.bin daemon with databases from /opt/bitnami/mysql/data
/opt/bitnami/mysql/scripts/ctl.sh : mysql started at port 3306
/opt/bitnami/mongodb/scripts/ctl.sh : mongodb stopped
/opt/bitnami/mongodb/scripts/ctl.sh : mongodb started at port 27017
/opt/bitnami/php/scripts/ctl.sh : php-fpm started
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
/opt/bitnami/config/monit/conf.d/nginx.conf:3: Warning: Program does not exist: ‘/opt/bitnami/nginx/scripts/ctl.sh’
/opt/bitnami/config/monit/conf.d/nginx.conf:4: Warning: Program does not exist: ‘/opt/bitnami/nginx/scripts/ctl.sh’

Flushed system cache.

the api api/v2/system/environment returns “allow_forever_sessions”:false


#16

restarted the entire virtual machine. nothing. @drewpearce

Thank you.


#17

I don’t know if I am missing a step, but I cannot find an .env file anywhere in my install directory? Can someone steer me in the right direction? My DF instance is installed on an Ubuntu server.


#18

if you were paying attention you would see that in a post of mine in the beggining we were talking about df.php file :slight_smile:


#19

Hi, I just launched a standalone (non-bitnami) ubuntu 14.04 nginx with SSL - took me a good day to get it right and saw your post looking for the same thing.

The .env file is a hidden file in your . for me it was /home/user/df2 htdocs does not exist on a standalone.

Couple of tips.

  1. sftp to your server with FileZilla ~ it will show you the hidden files
  2. use find / -name <directory> -type d from command line to search your server for a directory
  3. use find / -name <filename> -type f from command line to search your server for a file (wildcards accepted)

#20

hi RJP,

I also installed a non bitnami standalone of DF2 on my ubuntu 14.04 for almost 2 weeks now but this is what i have been getting as a response when trying to launch the platform on my browser

“Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help http://xhr.spec.whatwg.org/1 app.ee90cd63.js:3:13186
GET XHR http://localhost/api/v2/system/environment1 [HTTP/1.1 404 Not Found 0ms]
uncaught exception: [object Object]”

I have tried many options on user management perhaps the user doesnot have necessary access rights to the public installation folder and given the appropriate rights. But i have just this issue “GET XHR http://localhost/api/v2/system/environment [HTTP/1.1 404 Not Found 0ms]uncaught exception: [object Object];” as a major problem; can you please shed more light into how you were able to make it work and perhaps share some nginx configuration files.

Thank you.