What expectation should I have for how long a user can stay logged on before being prompted again?
I have implemented my own check in functions.php, integrating with the SSO plugin for WordPress. My logic seems pretty simple but I just noticed that a member who had a declined credit card (hence removing the user tag that my logic checks) was able to access my forum today. On further checking she last logged on a couple of days ago and, I guess, still seems to be. Her last logon date for WordPress is also a few days back.
Is it expected that her cached credentials should still be working. If so, is there any way to control the validity of the token and/or respond to a webhook to force a logout?
This is controlled by the Discourse maximum session age site setting. It sets the number of hours that users will remail logged into your site for. It defaults to 1440 hours (60 days.) You could try setting this to a lower value. If you set it too low it will seem like a bug to your users.
This makes sense. You can log users out manually by going to their Discourse Admin page and clicking the āLog Outā button that youāll see near the top-right of the page. Another option for controlling this would be to add some code to your WordPress site that logs users out of Discourse when a membership expires.
Much appreciated, Simon. While I think 60 days is a too long for my scenarios (these are paying members and so they have an expectation weād check they are still valid members), I do agree that reducing it too much can be a pain.
The final suggestion (find a way to log them out of Discourse when membership ends) is what I will research. I had seen the manual logout option but looking to totally automate all of this, so that seems like the right path.
Hmmā¦ the description of the site setting says (emphasis mine):
User will remain logged in for n hours since last visit
If I understand correctly, could remain logged in forever if they continue to visit the site periodically even after they lose their SSO credentials. For example, if the setting were set to 72 hours, as long as they continued to visit the site every day or two, theyād remain logged in. Am I interpreting that correctly?
So is the implication of this that if someone cancels my membership and I want to be sure they canāt access my forum I will need to forcefully log them off (manually or via an API call)?
Thank you. Having just switched from a Facebook group (which required manually removing members when they cancelled their subscriptions) itās unfortunate that, with Discourse, I will still have a manual process to ensure cancelled members canāt access my forum. That leads to a question.
Is there any non-manual mechanism - however creative - where I can ensure a user who no longer has a valid account i.e s/he cannot log on, will be forcefully logged out of Discourse?
It does seem logically weird to have the SSO mechanism block users from logging on (recognizing the fact they donāt have a valid account), but if they simply access the forum on a regular basis (less than the timeout) they can access the forum for as long as they like, until I log them off manually.
I guess my final option, potentially, is to write a plugin that will call a Discourse API to log them out when they cancel.
Open to any and all ideas here. As you can tell, I REALLY want to avoid having to do this manually
Stepping back though, does this not seem like something of a problem? I guess we can debate the importance of this, but having a platform where users can just continue to access a forum endlessly, even when they no longer have a valid account, is not something I have seen elsewhere.
I can perhaps buy the notion that itās WordPress, rather than Discourse, which is the authoritative source here. So that probably points the finger at the SSO plugin as the best place to locate some logic.
Curious to know the overall thinking here. Iād like to think the scenario is a valid one (force logout after a certain period of time or based on a WordPress account becoming āinvalidā), no?
Just brainstorming here since I would like to avoid manual steps - but also want to avoid writing code, if I can
Yes, this will need to be handled by WordPress. I think it would make sense for the WP Discourse plugin to log users out of Discourse when they are deleted on WordPress, but Iām not sure that this would solve your problem. My assumption is that when a userās membership expires on your site, the user isnāt deleted from your WordPress site. To handle the case of logging a user out of Discourse when their membership expires, you will probably need to add some code to your site that hooks into whatever action is fired by your membership plugin when a membership expires.
Thank you again, @simon. Your points make sense, but forgive me if I carry on for one more pass
It seems to be that there are two factors at play here - the validity of an account (namely, are they an active member) and the validity of a token in Discourse.
For the first of these I absolutely agree that WordPress should own this and, as time allows, I will investigate.
However, thereās also the question of an active/valid token on the Discourse side. I understand that this might not be a high priority, but I can see some logic in an option (probably defaulting to off) which has a āforce logonā timeframe, namely after x days the users logon token expires, regardless of whether s/he logged on recently.
Again, I am very much brainstorming here, but can see some value in forcing a logout as an option, independent of whether the user has a valid account.
You need to make an authenticated POST request to the route. You could set this up to logout users when they click a link, but you will have to handle the request on the server.
Thanks! Authenticated, eh? Doing some research on this, looks like an authenticated post from PHP sends something like this content in the header:
'Authorization: OAuth '.$accesstoken;
There are some clues out there which Iāll continue to research.
But it would be great if someone had a snippet of PHP code which worked! The example in https://docs.discourse.org/ authentication section returns a syntax error for meā¦ oh wait, thatās a Unix command!
Since you are on WordPress, you could try making the request with the wp_remote_post function. That way you donāt have to deal with the curl options.