Missing token expiry date in .me() SDK endpoint

[olo2552]

Short description

Hello,
As I'm developing application I realized, that there is no simple way to authenticate the user for third-party server with SteemConnect.

The Problem

As I'm developing application, which need to have backend to work properly I wanted to authenticate user on a client, and use the chain of trust, to authenticate the user on my server using his token. The problem is, that veryfing the user's token can be only done with 'boolean' response. That means, that I can only check if the users token is valid in the time of doing request.

What's missing?

The problem is, that request doesn't provide more complex information when token expires (how long the token will be valid). Without that information third-party server cannot be 100% sure, that user is still valid.

Why problem cannot be bypassed?

After lot of brainstorms, I got to the point, that there isn't any solution, that is 100% both secure and reliable. The 'naive' solution is simply to authenticate every request to the server to check, if it's still valid. I hope I don't need to say, that it's non-performant for both sides. SC2 side could have lot more heavy use of the server, while third-party server have to wait until every request.
The second thing, is that I cannot get expiry date from url location. User could always change it, for instance with window.location & window.history API from to console. That way, without changing valid token user is able to lie to the third-party server, that the expiry date of his token is longer than in reality.

Solution

The solution can be done in 2 ways. Both of them are simple in implementation.

1. SDK.me() endpoint could be extended with token expiry date & username. That way third-party server could have reliable source of information without much effort.
2. Making SDK.validate() endpoint, where when provided a valid username and token API returns the information about token epiry date & scopes without entire user information blob.
   Although, that way is harder to make and maintain, it has a lot of advantages. Firstly, the SC2 server would not be so stressed - every .me() request just for validation would be replaced with much lighter payload. Secondly, it solves authentication problem, while providing faster solution for both client and server.