Level 50
Do you mean that your tokens don't expire, or that the expires_at value in the model is null? Because the value is supposed to be null.
1 like
Aug 9, 2024
11
Level 63
Sanctum expiration isn't applied for the tokens
Hello,
I just modified the expiration value for the token in the sanctum.php configuration file.
https://laravel.com/docs/11.x/sanctum#token-expiration
I have checked for any cache problem, but it's doesn't work better.
The AI suggests to add the stateful API middleware, but I don't think that it's the solution for the API token authentication.
Any idea ?
Whereas it works well if I specify the expiration date as a parameter to the createToken() function.
Thanks for your help.
V
Level 63
@JussiMannisto The value is null.
Level 50
For more explanation, take a look at the source code. Expired tokens are deleted in two passes:
- Delete any tokens with an expired expires_at value.
- If there's a sanctum.expiration setting, delete all tokens that have expired based on it.
So it doesn't matter if your token's expires_at value is null or 10 years in the future, it gets deleted if the global setting says so.
In other words, expires_at can only limit the lifetime of a token. It's not needed if you've defined a sanctum.expiration setting.
1 like
Level 63
@JussiMannisto No need to give me an AI answer which doesn't reply to my question at all ;). I don't ask anything about pruning the expired tokens.
Level 50
@vincent15000 It's not an AI answer. Did you not understand what I'm saying?
The value is supposed to be null. So what's your issue?
1 like
Level 63
@JussiMannisto Read once again my post : I have set 'expiration' => 3600, in the sanctum.php configuration file and when I create a new token, the expired_at field remains null in the database, whereas it should contain a date with the value now()->addHour().
Level 50
@vincent15000 No it shouldn't. That's just something you made up.
How about you read what the configuration comment says:
This value controls the number of minutes until an issued token will be considered expired. This will override any values set in the token's "expires_at" attribute, but first-party sessions are not affected.
The config value doesn't get written to the expires_at column. Tokens will expire if they're older than sanctum.expiration regardless of what their expires_at value says. The expires_at value only comes into play if it's shorter than sanctum.expiration.
You didn't read the docs or look at the source code, made up how things should work, and then complained when I explained how Sanctum actually uses the config value.
Also 3600 minutes is not one hour.
1 like
Level 63
@JussiMannisto Ok now it's clear for me, but I really didn't understand the documentation like this, probably because english is not my mother tongue.
Furthermore yes you're right, the expiration value is in minutes.
Level 1
I know this thread is from a year ago but still there is something not logical
@jussimannisto you mention "The config value doesn't get written to the expires_at column. Tokens will expire if they're older than sanctum.expiration regardless of what their expires_at value says. The expires_at value only comes into play if it's shorter than sanctum.expiration."
if the sanctum.expiration is null -> meaning there is no expiration time (what I understand) and when you create a token that needs to expire after 1 hour the expires_at value is shorter then the config. The token just created and is still valid is not accepted as a valid token, changing it has no impact. Only removing the expires_at value makes the token valid.
1 like
Level 50
I'm not sure I follow your point. The token is valid until one of these is hit:
- The globally configured
sanctum.expirationtime since the token was created. - The token's own
expires_attime.
Whichever is shorter defines the token's validity time. If they're both null, the token never expires.
The token just created and is still valid is not accepted as a valid token, changing it has no impact. Only removing the expires_at value makes the token valid.
If sanctum.expiration is null and you set the token's expires_at somewhere in the future, the token is valid until expires_at is hit. But note that expires_at is a timestamp while sanctum.expiration is given in minutes.
1 like
Level 122
My take
If the sanctum expiration (global) setting is 30 days, then no token can be older than 30 days, however if you set a token to expire in 1 hour then that single token has a 1 hour lifetime and will be considered invalid much quicker than the standard time.
1 like
Please or to participate in this conversation.