Token creation changes
The lifetime property of access tokens has been removed. Tokens are now either session tokens with 1h lifetime after last activity, or session_remember tokens with 5 years lifetime after last activity.
The remember parameter that was previously available on the POST /login endpoint has been made available on POST /api/token. It doesn't return the remember cookie itself, but the token returned can be used as a remember cookie.
The lifetime parameter of POST /api/token has been deprecated and will be removed in Flarum beta 17. Partial backward compatibility has been provided where a lifetime value longer than 3600 seconds is interpreted like remember=1. Values lower than 3600 seconds result in a normal non-remember token.
New developer tokens that don't expire have been introduced, however they cannot be currently created through the REST API. Developers can create developer tokens from an extension using Flarum\Http\DeveloperAccessToken::generate($userId).
If you manually created tokens in the database from outside Flarum, the type column is now required and must contain session, session_remember or developer. Tokens of unrecognized type cannot be used to authenticate, but won't be deleted by the garbage collector either. In a future version extensions will be able to register custom access token types.
#Token usage changes
A security issue in Flarum (opens new window)previously caused all tokens to never expire. This had limited security impact due to tokens being long unique characters. However custom integrations that saved a token in an external database for later use might find the tokens no longer working if they were not used recently.
If you use short-lived access tokens for any purpose, take note of the expiration time of 1h. The expiration is based on the time of last usage, so it will remain valid as long as it continues to be used.
Due to the large amount of expired tokens accumulated in the database and the fact most tokens weren't ever used more than once during the login process, we have made the choice to delete all access tokens a lifetime of 3600 seconds as part of the migration, All remaining tokens have been converted to session_remember tokens.
#Remember cookie
The remember cookie still works like before, but a few changes have been made that could break unusual implementations.
Now only access tokens created with remember option can be used as remember cookie. Any other type of token will be ignored. This means if you create a token with POST /api/token and then place it in the cookie manually, make sure you set remember=1 when creating the token
