automatic logout from simple-ember-auth/oauth2-server after inactivity

Question

I have implemented a simple-ember-auth on the front and oauth2-server on the back, using password and refresh_token grants. When the authorisation token is about to expire (this time is set on the server), simple-ember-auth issues a refresh token request, and gets a new authorisation token.

That's cool, however, I need to automatically invalidate the session after a certain inactivity time. Currently, OAuth2PasswordGrantAuthenticator seems to issue the token refresh request ad infinitum.

I would welcome any suggestions or thoughts how to implement this.

Answer 1

As @Lux mentioned in comment you have to implement a user activity detection. You could observe events like keypress, mousemove, scroll etc. on window element therefore. If it's not about activity but just if the page is on focus you could consider Page Visibilty Api. If it's more about interaction with your application perhaps observe ember events like transitions.

Use Ember.debounce to call OAuth2PasswordGrantAuthenticator invalidate() method only if there wasn't any user activity.

Maybe best implemented in a Application Instance Initializers.

Something like this (not tested):

// app/instance-initializers/logout-if-inactive.js
export function initialize(applicationInstance) {
  var session = applicationInstance.lookup('service:session');
  var logoutAfter = 15 * 60 * 1000 // in milliseconds
  var logout = function() {
    Ember.run.debounce(session, 'invalidate', logoutAfter);
  }
  window.onmouseevent = logout;
  window.onkeypress = logout;
}

export default {
  name: 'logout-if-inactive',
  after: 'session',
  initialize: initialize
};