Api Pow authorization token validity time

Hi,
I’ve created authorization for my external api identical as in the POW docs https://hexdocs.pm/pow/api.html.
My question is, how to set token validity time for this api authorization?
I set:
credentials_cache_store:
{Pow.Store.CredentialsCache, ttl: :timer.minutes(28800), namespace: “credentials”},
session_ttl_renewal: :timer.minutes(30),
cache_store_backend: Pow.Store.Backend.EtsCache
in the main config and it’s working for the CMS part of the project but not for the external api part.
Anybody can help me? Thanks in advance.

1 Like

You’ll have to set it in the store config options, as you are calling the Pow.Store.CredentialsCache directly. :credentials_cache_store is only used in Pow.Plug.Session plug.

So do this instead:

store_config
|> Keyword.put(:ttl, :timer.minutes(28800))
|> CredentialsCache.put(access_token, {user, [renewal_token: renewal_token]})

Or if you want to use the same setting as in your config:

{_store, opts} = Config.get(config, :credentials_cache_store, nil) || raise "No `:credentials_cache_store` config option set"

store_config
|> Keyword.merge(opts)
|> CredentialsCache.put(access_token, {user, [renewal_token: renewal_token]})

I strongly encourage you to keep the TTL much shorter than what you got. OWASP recommends the following:

Common idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications.

3 Likes

That works, thank you very much. I’ll re-think the TTL.

i am still stuck in renewal ttl time
{_store, opts} = Config.get(config, :credentials_cache_store, nil) || raise “No :credentials_cache_store config option set” is not working always return nill value