Do not logout when someone is active in the OVS gui

[jeroenmaelbrancke]

After x hours the session closed even when i'm active on the gui.

Devtools errors:

Failed to load resource: the server responded with a status of 401 (UNAUTHORIZED)
Failed to load resource: the server responded with a status of 403 (FORBIDDEN)

[JeffreyDevloo]

Must have been bad luck. The token that is provided stays for 24hours. A decision should be made whether

• our API should automatically refresh the tokens in the client side (this will be some more work as a new persistent key has to be made and stored and writing up some client code)
• The token expiration can be edited and will fallback to 12hours (this means logging in every day will be covered better)

Currently going with option 2. @wimpers you can decide what to do here (Documenation around this subject: https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/)

[wimpers]

After discussion with @JeffreyDevloo :

• option 2 will not fundamentally fix the issue (currently the value is set at 24h but OPS can set it to anythingthey like)
• I believe a more fundamental approach is to use shot-lived - auto refresh tokens which can be revoked.

@JeffreyDevloo could you add a ballpark estimate for that latest option? In the mean time setting it to Roadmap.

[JeffreyDevloo]

Things to be done: Server side:

• Add a new type of token which is persistent (should never be removed automatically): the refreshing token (4h with refactoring other token logic)
• Add a view which only the refreshing token can have access too (this view should contain the logic to fetch a new token) (4h with rights testing)
• Optionally: build in this refreshing logic in the ovs client to avoid getting new tokens (4h)

Client side:

• The api client in the front-end should automatically refresh its token once it expires (4h)
• There should be an idling detecting which can halt the refreshing of the token (2h)