Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
accounts-base: enroll tokens deleted too soon #8218
(expanded from #7794 (comment) and filed as a new issue)
#7817 was intended to allow separate timeouts for enrollment tokens and password reset tokens, so enrollment tokens could last for (by default) 30 days, whereas password reset tokens could be made to expire more quickly (default 3 days).
That pull request appears to have a bug which causes enrollment tokens to be cleaned up under the reset token expiry rules. The net effect is that under the default settings, enrollment tokens are destroyed after 3 days, rather than after 30 days. Regardless of what a developer sets
In particular, when processing password reset token expiry at https://github.com/meteor/meteor/pull/7817/files#diff-2ae5b6c36ab4132c1a2d0e33b5fd8443R1158 a
Observed in Meteor 184.108.40.206 (email@example.com), but the bug I've identified is still in master as of this writing.
We're working around this by bumping the validity duration of password reset tokens, but that may not be a palatable option for everyone.