parse-server icon indicating copy to clipboard operation
parse-server copied to clipboard
verified publisher icon parse-community

Incorrect expiration date validation for `_perishable_token_expires_at`

Open mtrezza opened this issue 1 month ago • 3 comments

New Issue Checklist

Issue Description

⚠️ Potential issue | 🔴 Critical

Token lookup uses inverted expiry comparator and lacks Auth.maintenance/limit.

  • _perishable_token_expires_at should be greater than “now” for a valid token.
  • Use Auth.maintenance like the email path for consistency.
  • Limit results to 1.

Apply:

-      userResults = await req.config.database.find('_User', {
-        _perishable_token: token,
-        _perishable_token_expires_at: { $lt: Parse._encode(new Date()) },
-      });
+      userResults = await req.config.database.find(
+        '_User',
+        {
+          _perishable_token: token,
+          _perishable_token_expires_at: { $gt: Parse._encode(new Date()) },
+        },
+        { limit: 1 },
+        Auth.maintenance(req.config)
+      );
🤖 Prompt for AI Agents 
In src/Routers/UsersRouter.js around lines 454 to 471, the token lookup query
uses the wrong expiry comparator and is missing the same options as the email
path; change the _perishable_token_expires_at check to $gt Parse._encode(new
Date()) so only unexpired tokens match, and call req.config.database.find with
the same options as the email branch: pass { limit: 1 } and
Auth.maintenance(req.config) as the query options so the lookup is limited to
one result and runs under maintenance context.

Reported by @coderabbitai

mtrezza avatar Nov 17 '25 20:11 mtrezza

🚀 Thanks for opening this issue!

ℹ️ You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

parse-github-assistant[bot] avatar Nov 17 '25 20:11 parse-github-assistant[bot]

There is a test that seems cover this 'can resend email using an expired reset password token' in ValidationAndPasswordsReset.spec.js. I don't know if this one should be removed or no ?

coratgerl avatar Nov 18 '25 07:11 coratgerl

I haven't validated the issue yet. It may be a false positive. There should be tests for the token expiration we should look for.

mtrezza avatar Nov 18 '25 07:11 mtrezza