From a11f8cebc2368fe0569b2754b1e9c0affc0b4cd2 Mon Sep 17 00:00:00 2001
From: augustuswm <gusmayo@gmail.com>
Date: Fri, 20 Mar 2026 12:50:51 -0500
Subject: [PATCH] Define a hard cap for magic link expirations

---
 v-api/src/endpoints/login/magic_link/mod.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/v-api/src/endpoints/login/magic_link/mod.rs b/v-api/src/endpoints/login/magic_link/mod.rs
index c2cc537..7d731e8 100644
--- a/v-api/src/endpoints/login/magic_link/mod.rs
+++ b/v-api/src/endpoints/login/magic_link/mod.rs
@@ -31,6 +31,8 @@ use crate::{
 
 pub mod client;
 
+static EXPIRATION_MAX: Duration = Duration::minutes(15);
+
 #[derive(Debug, Deserialize, JsonSchema)]
 pub struct MagicLinkPath {
     channel: String,
@@ -121,7 +123,7 @@ where
             medium,
             channel,
             scope.as_deref(),
-            Utc::now().add(Duration::seconds(expires_in)),
+            Utc::now().add(Duration::seconds(expires_in).min(EXPIRATION_MAX)),
             &recipient,
         )
         .await;