For Accounts.forgotPassword() and Accounts.sendVerificationEmail(), a token is generated.
Does that token ever expire?
If so, after what period of time?
Do accounts-password email tokens ever expire?
Asked Answered
At the moment there is no built-in code that relates to token expiration, neither setting an expiration time nor enforcing it.
The email reset data (token, email and token creation date) is saved in the user's record, as can be seen in the source:
var tokenRecord = {
token: token,
email: email,
when: when
};
Meteor.users.update(userId, {$set: {
"services.password.reset": tokenRecord
}});
Therefore, the date is in the following mongo selector:
'services.password.reset.when'
Unfortunately, all of the reset data is unset as soon as the resetPassword method is called with the correct token.
This makes it unavailable to the validateLoginAttempt callbacks:
Accounts.validateLoginAttempt(function(options) {
if (options.methodName === 'resetPassword' && options.allowed === true) {
console.log('resetPassword', options.user.services.password.reset); //undefined
}
return true;
});
Similarly, the email verification token is stored in user.services.email.verificationTokens, which (if set) is an array of token records.
The dates are, therefore, in
'services.email.verificationTokens.when'
You could, however, invalidate old tokens periodically quite easily with this info, or roll your own local fork or wrap of accounts-password.
when thus gives the date at which the token was created, not the one at which it will expire. Have you managed to find any data about automatic, possibly time-based token expiration while crawling the code? –
Ammonify There is no code that expires the token. You should roll your own, for example, create something that runs every hour and removes old tokens. You may also want to change the reset password email template to reflect that. –
Accipiter
Of course, you can always fork accounts-password or override its method handlers and inject this functionality in. –
Accipiter
@PaulStenne Afaiu
when thus gives the date at which the token was created, not the one at which it will expire the expiration does get calculated by dateNow - token.when <= tokenLiveTime. I am standing on a similar problem like @Accipiter since i want to create tokens with different expiration dates. If there is any info on this subject i gladly take advice. But afaik MasterAM pointed out the only two solutions. –
Discography With the current version of Meteor (1.9), tokens do expire, as you can see here in the code (and I guess it has been the case for quite a long time).
Reset password tokens expire after 3 days, when enroll tokens expire after 30 days
These two parameters are configurable using :
Accounts.config({
passwordResetTokenExpirationInDays : 10,
passwordEnrollTokenExpirationInDays : 60,
})
Meteor should expire existing tokens immediately if a password reset is requested and a new token is generated. Is there some use-case where you wouldn't want this to happen? As presently, it's a security vulnerability. –
Waterline
I am not sure about how Meteor handle the existing tokens when a new token is issued after a password change. I guess they are deleted but I haven't checked. It you have confirmed what you claim you should open an issue on meteor/meteor github repo. This was not the point of the question nor my answer. –
Secunda
© 2022 - 2024 — McMap. All rights reserved.
verificationTokenhas a creation timestamp but not an expiration timestamp afaict. I do know a verification token or password reset token can only be used once. – Adelinaservices.email.verificationTokens.when– Adelina