Add 12 hour expiry to email verification tokens

2021-11-24 17:41:39 +00:00 · 2021-11-24 17:41:39 +00:00 · 0486eb76c0
parent 3b5c9950de
commit 0486eb76c0
2 changed files with 11 additions and 1 deletions
--- a/app/blueprints/users/account.py
+++ b/app/blueprints/users/account.py
@ -311,11 +311,19 @@ def set_password():
@bp.route("/user/verify/")
 def verify_email():
 	token = request.args.get("token")
-	ver : UserEmailVerification = UserEmailVerification.query.filter_by(token=token).first()
+	ver: UserEmailVerification = UserEmailVerification.query.filter_by(token=token).first()
 	if ver is None:
 		flash("Unknown verification token!", "danger")
 		return redirect(url_for("homepage.home"))

+	delta = (datetime.datetime.now() - ver.created_at)
+	delta: datetime.timedelta
+	if delta.total_seconds() > 12*60*60:
+		flash("Token has expired", "danger")
+		db.session.delete(ver)
+		db.session.commit()
+		return redirect(url_for("homepage.home"))
+
 	user = ver.user

 	addAuditLog(AuditSeverity.USER, user, "Confirmed their email",
--- a/app/flatpages/email_sent.md
+++ b/app/flatpages/email_sent.md
@ -4,4 +4,6 @@ toc: False
 We've sent an email to the address you specified.
 You'll need to click the link in the email to confirm it

+**The link will expire in 12 hours**
+
 <a class="btn btn-secondary" href="/help/faq/#my-verification-email-never-arrived">My email never arrived</a>