Implement MAX_TOKEN_TTL setting

[joshcorne]

Hi guys,

This library is great and fits my use case perfectly minus a small feature which would be great to see.

I currently keep my token ttl short which will obviously log people out from inactivity so I let them refresh it through the day. I would like set a max ttl from the creation time of the full working day so that they are logged out each evening.

This is a small business application so it is only used during business hours where the tokens would naturally expire overnight. The concern with AUTO_REFRESH: True is that it would give an attacker effectively infinite access if they have stolen a token that they can keep refreshing. Currently I am not fingerprinting IP addresses etc and the token is the only authentication method.

What I propose is a setting for MAX_TOKEN_TTL which will auto refresh up until that point at which point AUTO_REFRESH is overridden and they must get a new token. My current solution is a cron job which just deletes tokens at the end of the day but keeping it all in house with the library would be great. What do you think?

Thanks!