9

For Accounts.forgotPassword() and Accounts.sendVerificationEmail(), a token is generated.

Does that token ever expire?
If so, after what period of time?

MasterAM
  • 16,283
  • 6
  • 45
  • 66
Artfree
  • 111
  • 4
  • A `verificationToken` has a creation timestamp but not an expiration timestamp afaict. I do know a verification token or password reset token can only be used once. – Michel Floyd Oct 25 '15 at 21:00
  • Interesting - that if I use the token twice (click on the email link again) I get this err message: "Error: Token expired [403]" Misleading wording. – Artfree Oct 25 '15 at 21:08
  • Michael - is it possible to gain access to the verificationToken creation timestamp? If so, I can create my own token expiration routine. Thx. – Artfree Oct 25 '15 at 21:09
  • It's in the user object: `services.email.verificationTokens.when` – Michel Floyd Oct 26 '15 at 04:13

2 Answers2

1

At the moment there is no built-in code that relates to token expiration, neither setting an expiration time nor enforcing it.

The email reset data (token, email and token creation date) is saved in the user's record, as can be seen in the source:

var tokenRecord = {
  token: token,
  email: email,
  when: when
};
Meteor.users.update(userId, {$set: {
  "services.password.reset": tokenRecord
}});

Therefore, the date is in the following mongo selector:

'services.password.reset.when'

Unfortunately, all of the reset data is unset as soon as the resetPassword method is called with the correct token.

This makes it unavailable to the validateLoginAttempt callbacks:

Accounts.validateLoginAttempt(function(options) {
  if (options.methodName === 'resetPassword' && options.allowed === true) {
    console.log('resetPassword', options.user.services.password.reset); //undefined
  }
  return true;
});

Similarly, the email verification token is stored in user.services.email.verificationTokens, which (if set) is an array of token records.

The dates are, therefore, in 

'services.email.verificationTokens.when'

You could, however, invalidate old tokens periodically quite easily with this info, or roll your own local fork or wrap of accounts-password.

MasterAM
  • 16,283
  • 6
  • 45
  • 66
  • `when` thus gives the date at which the token was created, not the one at which it will expire. Have you managed to find any data about automatic, possibly time-based token expiration while crawling the code? – Kyll Oct 25 '15 at 22:59
  • 1
    There is no code that expires the token. You should roll your own, for example, create something that runs every hour and removes old tokens. You may also want to change the reset password email template to reflect that. – MasterAM Oct 25 '15 at 23:02
  • 1
    Of course, you can always fork accounts-password or override its method handlers and inject this functionality in. – MasterAM Oct 25 '15 at 23:14
  • @PaulStenne Afaiu `when thus gives the date at which the token was created, not the one at which it will expire` the expiration does get calculated by `dateNow - token.when <= tokenLiveTime`. I am standing on a similar problem like @MasterAM since i want to create tokens with different expiration dates. If there is any info on this subject i gladly take advice. But afaik MasterAM pointed out the only two solutions. – Gobliins Jun 28 '18 at 10:56
1

With the current version of Meteor (1.9), tokens do expire, as you can see here in the code (and I guess it has been the case for quite a long time).

Reset password tokens expire after 3 days, when enroll tokens expire after 30 days

These two parameters are configurable using :

Accounts.config({
    passwordResetTokenExpirationInDays : 10,
    passwordEnrollTokenExpirationInDays : 60,
})
Victor
  • 767
  • 4
  • 17
  • Meteor should expire existing tokens immediately if a password reset is requested and a new token is generated. Is there some use-case where you wouldn't want this to happen? As presently, it's a security vulnerability. – evolross Jan 13 '21 at 18:32
  • I am not sure about how Meteor handle the existing tokens when a new token is issued after a password change. I guess they are deleted but I haven't checked. It you have confirmed what you claim you should open an issue on meteor/meteor github repo. This was not the point of the question nor my answer. – Victor Jan 15 '21 at 10:30