Automatic delete old access token associated with newly generated one config

[kairiex2]

Hi.
I was thinking if there is a configuration on

AuthToken.php

config so when the same user request access token, the old one associated with it is deleted automatically. Fow now what i see is whenever i generate a token, it is then saved to database. And when i accidentally request again it keeps saving it to database without revoking the old one.
Also the method to revoke token i think should also have based on user's token name (e.g John's Iphone 15). That way we can secure delete only token given to for example apps on iphone without deleting other token that maybe used on other resource. Maybe the config can be true or false.

[kenjis]

We need more than one token. Tokens are needed for each device, so I think it is rather rare to have one token.
But unlimited tokens are not needed. So it may be better to have maximum token numbers.

Also the method to revoke token i think should also have based on user's token name (e.g John's Iphone 15)

This is not needed. We only need a UI to delete a token with the name.
We can implement it with revokeAccessTokenBySecret().

[kairiex2]

We need more than one token. Tokens are needed for each device, so I think it is rather rare to have one token.
But unlimited tokens are not needed. So it may be better to have maximum token numbers.

Yes, we need more than one token, but what i mean is to prevent old token saved on database still exist when the same user and device request a new token.

This is not needed. We only need a UI to delete a token with the name.
We can implement it with revokeAccessTokenBySecret()

Isn't token's secret only known by database admin's?
Example is like this:
A client request a token for his device. Then on the same device he request again a token. That makes it 2 same purpose token saved to database. What if it is request a lot of times intentionally or unintentionally? Wouldn't it cost a lot uneeded storage on database?
If we implement UI to delete the token, than it just create an extra job for admins to look after this particular token, imagine if the tokens on table is a lot.

[kairiex2]

@kenjis I was browsing again on shield documentation and found this

The plain text version should be displayed to the user immediately so they can copy it for their use. If a user loses it, they cannot see the raw version anymore, but they can generate a new token to use.

Based on this, then if the user keeps generating new token, then the previously generated unused token doesn't get deleted. We can't use the revoke all token method because there might be access token given to that user for another purpose (for example, let's says accessing beta page).