Add 12 hour expiry to email verification tokens

This commit is contained in:
rubenwardy 2021-11-24 17:41:39 +00:00
parent 3b5c9950de
commit 0486eb76c0
2 changed files with 11 additions and 1 deletions

@ -311,11 +311,19 @@ def set_password():
@bp.route("/user/verify/") @bp.route("/user/verify/")
def verify_email(): def verify_email():
token = request.args.get("token") token = request.args.get("token")
ver : UserEmailVerification = UserEmailVerification.query.filter_by(token=token).first() ver: UserEmailVerification = UserEmailVerification.query.filter_by(token=token).first()
if ver is None: if ver is None:
flash("Unknown verification token!", "danger") flash("Unknown verification token!", "danger")
return redirect(url_for("homepage.home")) return redirect(url_for("homepage.home"))
delta = (datetime.datetime.now() - ver.created_at)
delta: datetime.timedelta
if delta.total_seconds() > 12*60*60:
flash("Token has expired", "danger")
db.session.delete(ver)
db.session.commit()
return redirect(url_for("homepage.home"))
user = ver.user user = ver.user
addAuditLog(AuditSeverity.USER, user, "Confirmed their email", addAuditLog(AuditSeverity.USER, user, "Confirmed their email",

@ -4,4 +4,6 @@ toc: False
We've sent an email to the address you specified. We've sent an email to the address you specified.
You'll need to click the link in the email to confirm it You'll need to click the link in the email to confirm it
**The link will expire in 12 hours**
<a class="btn btn-secondary" href="/help/faq/#my-verification-email-never-arrived">My email never arrived</a> <a class="btn btn-secondary" href="/help/faq/#my-verification-email-never-arrived">My email never arrived</a>