User-based token_lifespan instead

[gustiando]

Hello, one important step before filing an issue is to share reproducible steps. This is exactly where we're having trouble with; the bug below only happens in production.

The issue is once we shorten the token_lifespan from 2 weeks to 30 minutes (or 1800). It gives users http 500s and failing to reset their passwords.

One idea is to set the lifespan to a specific user. So we can either isolate the bug and/or the fix before rolling it out to everybody else. If nobody has other ideas, How can we set different token_lifespan for a user with Devise?

Example of what we see in the prod logs:

NoMethodError: undefined method `[]' for nil:NilClass

    args[:expiry] = tokens[args[:client_id]]['expiry']
                                            ^^^^^^^^^^

Our configuration:

DeviseTokenAuth.setup do |config|
  config.change_headers_on_each_request = true
  config.token_lifespan = ENV.fetch('TOKEN_LIFESPAN', 1800).to_i
  config.token_cost = Rails.env.test? ? 4 : 10
  config.batch_request_buffer_throttle = 10.seconds
  config.default_callbacks = false
  config.bypass_sign_in = false
end