Add "options" flag to disable access token invalidation

[bajtos]

Invalidating all access tokens on every change of email/password is a bit cumbersome for users. The invalidation was added to allow users to recover after their email/password was stolen. IMO, users usually change their email/password for different reasons and in most cases do not want their other sessions to be logged out.

I am proposing to modify the current implementation to recognize a new flag set via method "options" argument, allowing LoopBack apps to offer the user a choice whether to invalidate other sessions or not.

// sample usage in a custom remote method
Customer.prototype.changePassword = function(newPass, invalidateAccessTokens, options, cb) {
  var data = { password: newPass };
  options.invalidateAccessTokens = invalidateAccessTokens;
  this.updateAttributes(data, options, cb);
};

See also #3034.

[bajtos]

On the second thought, this is a great "first commit" task for people wanting to start contributing to LoopBack. I have added patch-welcome label and removed P1.

[barocsi]

It would be great to just have some methods so we can override the hook registration of some email and password related stuff. It can be pretty blocking when you have a slightly but not completely different implementation.

[lchaglla]

Can I try to fix this, I mean is it still open?

[bajtos]

@lchaglla thank you for chiming in! This issue hasn't been fixed yet so yes, it's still open for contribution.

However: we are planning to release LoopBack 4 next week, after which LoopBack 3 moves to Active LTS and no new features will be accepted anymore. I am not sure how likely it is to get your contribution into a shape when it can be landed by that time.