introduced the jwt expiry for forced logout of users; defaulting to 1 hour, overridable by env. variable KONGA_JWT_TOKEN_EXPIRY

api/policies/authenticated.js

@@ -28,7 +28,7 @@ module.exports = function authenticated(request, response, next) {
       return response.json(401, {message: 'Given authorization token is not valid', logout: true});
     } else {
       // Store user id to request object
-      request.token = token;
+      request.token = token.id.toString();
 
       // We delete the token from query and body to not mess with blueprints
       request.query && delete request.query.token;

api/services/Token.js

@@ -20,7 +20,8 @@ module.exports.issue = function issue(payload) {
 
     return jwt.sign(
         payload, // This is the payload we want to put inside the token
-        process.env.TOKEN_SECRET || "oursecret" // Secret string which will be used to sign the token
+        process.env.TOKEN_SECRET || "oursecret", // Secret string which will be used to sign the token
+        { expiresIn: parseInt(process.env.KONGA_JWT_TOKEN_EXPIRY || 60 * 60 )}
     );
 };