Authentication token expiration on session timeout

lib/devise.rb

@@ -139,6 +139,10 @@ module Devise
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
 
+  # Authentication token expiration on timeout
+  mattr_accessor :expire_auth_token_on_timeout
+  @@expire_auth_token_on_timeout = false
+
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil

lib/devise/hooks/timeoutable.rb

@@ -11,6 +11,7 @@ Warden::Manager.after_set_user do |record, warden, options|
 
     if record.timedout?(last_request_at)
       warden.logout(scope)
+      record.reset_authentication_token! if record.respond_to?(:reset_authentication_token!) && record.expire_auth_token_on_timeout
       throw :warden, :scope => scope, :message => :timeout
     end
 

lib/devise/models/token_authenticatable.rb

@@ -56,6 +56,9 @@ module Devise
       def after_token_authentication
       end
 
+      def expire_auth_token_on_timeout
+        self.class.expire_auth_token_on_timeout
+      end
 
       module ClassMethods
         def find_for_token_authentication(conditions)
@@ -67,7 +70,7 @@ module Devise
           generate_token(:authentication_token)
         end
 
-        ::Devise::Models.config(self, :token_authentication_key)
+        ::Devise::Models.config(self, :token_authentication_key, :expire_auth_token_on_timeout)
       end
     end
   end