It may be due to my configuration and that is why I post it here.
I have set up home assistant on a server at home. I do not have public IP and connect to the world through VPN. On VPN server I have httpd service that redirects me to my home server. Virtual host configured on Apache as per this instruction:
Everything seems to be working but … Every time i refresh web page home assistant returns to login screen. No big issue. I can live with that. But I noticed that list of active access tokens becomes longer and longer. After a day I may have 10-20 more. They do not disappear. After several weeks I may have hundreds.
May be this related with the fact that I missconfigured something?
Is there any setting that allows control of token activity time? If that could be set to, let us say, 24 hours that would be sufficient.
How are tokens stored? Is there a way to maybe set up cron job and delete all of them at midnight.
I don’t think so. As far as I observed this behavior, refresh tokens are only deleted from the list, if you explicitly log out from HA on a device. If you don’t, these tokens stay there forever.
Today I manually edited .storage/auth to get rid of tons of tokens older than one week, because it is highly unlikely that these are logins from actively used devices. Deleting them in a text editor at least felt a bit faster than endless mouse clicking on the profile page.
I’m not aware of any config options to purge old refresh tokens automatically but I would also appreciate if such an option exists.
Update: Since I was still nagged by this problem, I created a bash one liner to be used with jq that server-side cleans up the refresh tokens for a HA instance:
I noticed the same thing with a bunch of tokens running back to when I started. I was wondering if there is a way to remove them once they are abandoned. How is the bash working for you?