FOSUserBundle icon indicating copy to clipboard operation
FOSUserBundle copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfSymfony

Resetting confirmation token never expires??

Open ovgray opened this issue 7 years ago • 1 comments

Symfony FOSUserBundle versions: v2.0.1

Description of the problem including expected versus actual behavior:

A user who requests a password reset is redirected to a check-email page that says the user has been sent an email containing a link that will expire in two hours.

If that link isn't used in two hours (or two days, or two months), the link redirects to to the resetting request page. But if the user submits the request again, the user is sent the same "expired" link.

Shouldn't a new confirmation token be generated when the existing one is more than retry_ttl old, or at least when it is more than token_ttl old?

It seems that ResettingController::sendEmailAction will use $user->getConfirmationToken() no matter how long ago the token was created.

ovgray avatar Sep 20 '17 14:09 ovgray

So, the validity of a token that has been expired can easily be extended by requesting another reset?

willemstuursma avatar Dec 24 '17 13:12 willemstuursma