I set up Account linking with Amazon and it works all fine, but:
- When I activate the skill I am able to get user’s name and email, and of course the access token
- The code stores the name and email address in the user DB
- Then I deactivate the skill some moments after which unlinks the account.
- If I activate the skill again some moments later the AccessToken still seems to be valid. I get a new UserId (amzn1.ask.account.AGJXN2R…), but the code is still able to get name and email address even the account is not linked yet. which means probably the AccessToken is still valid.
This is a problem (German Privacy Law…), as we are talking here about permissions the user gave to send him emails. Even I am in a testing mode a user could also deactivate and activate a Skill in a very short time period.
Also, this.$user.delete(); does not delete the entry in the DB. But this would not solve this issue anyways. Tested it by deleting the entry manually.
Is there a way to delete an AccessToken (i am using AlexaSkillEvent.SkillDisabled)?
How long is an AccessToken valid?
UPDATE: It seems I found a solution. In the event “AlexaSkillEvent.SkillEnabled” I set the AccessToken to false;
Means, when I user enables a skill a maybe existing AccessToken will be invalid and getAccessToken() returns false. Now it works, but not 100% guaranteed as I just testet it 3-4 times.
So the answers would be still of interest if there is a better solution and if some one knows about the expiration time of a Token let me know please.