Sign and verify authToken per config expireInMinutes option

[epicmonkey]

Additionally we need to invalidate old tokens when user changes her password.

[urbansheep]

It might be a useful added practice to let user know in Settings how many tokens are active and list them with last access date/time stamp (best case — with user agent, OS, ip and geoip location) so that potential breach could be identified.

[epicmonkey]

Indeed! I've created a separate story for this: #230. Moving towards this will open flexible ways building Pepyatka applications, e.g. Import Twitter/RSS, whatever.

[urbansheep]

Yes, even though it's quite a lot of work, this leads to a couple of useful things that Friendfeed had (oAuth for apps and integrations) as well as those (quite critical for secure deployment) that Friendfeed never evolved far enough to develop (such as two-factor login).