mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-22 10:21:36 +03:00
789e2c96c0
fixes https://github.com/TryGhost/Team/issues/1996 **Issue** Our Magic links are valid for 24 hours. After first usage, the token lives for a further 10 minutes, so that in the case of email servers or clients that "visit" links, the token can still be used. The implementation of the 10 minute window uses setTimeout, meaning if the process is interrupted, the 10 minute window is ignored completely, and the token will continue to live for the remainder of it's 24 hour validity period. To prevent that, the tokens are cleared on boot at the moment. **Solution** To remove the boot clearing logic, we need to make sure the tokens are only valid for 10 minutes after first use even during restarts. This commit adds 3 new fields to the SingleUseToken model: - updated_at: for storing the last time the token was changed/used). Not really used atm. - first_used_at: for storing the first time the token was used - used_count: for storing the number of times the token has been used Using these fields: - A token can only be used 3 times - A token is only valid for 10 minutes after first use, even if the server restarts in between - A token is only valid for 24 hours after creation (not changed) We now also delete expired tokens in a separate job instead of on boot / in a timeout. |
||
---|---|---|
.. | ||
db | ||
exporter | ||
importer | ||
migrations | ||
schema |