From f88ee4a9523bf3c4a61a45832963c558aed4d0b1 Mon Sep 17 00:00:00 2001
From: Nassim Bounouas <NassimBounouas@users.noreply.github.com>
Date: Wed, 18 Dec 2019 09:59:00 +0100
Subject: [PATCH] Feature/password reset link expiration (#2305)

* #1928 Add a sentence indicating the reset time limit on form and email

* #1928 Customizable password reset lifetime

* #1928 Add a route to verify reset link and call it on reset form init

* Revert "#1928 Customizable password reset lifetime"

This reverts commit 0ed97453f8e64e31a723cc6740b251a69a57d658.

* #1928 Reset password lifetime hardcoded to one hour

* Remove useless modifications for #1928
---
 client/src/app/login/login.component.ts | 2 +-
 server/initializers/constants.ts        | 2 +-
 server/lib/emailer.ts                   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/client/src/app/login/login.component.ts b/client/src/app/login/login.component.ts
index 12c631107..911b9982f 100644
--- a/client/src/app/login/login.component.ts
+++ b/client/src/app/login/login.component.ts
@@ -78,7 +78,7 @@ export class LoginComponent extends FormReactive implements OnInit {
       .subscribe(
         () => {
           const message = this.i18n(
-            'An email with the reset password instructions will be sent to {{email}}.',
+            'An email with the reset password instructions will be sent to {{email}}. The link will expire within 1 hour.',
             { email: this.forgotPasswordEmail }
           )
           this.notifier.success(message)
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts
index 7e2617653..79fcd0edf 100644
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@@ -486,7 +486,7 @@ let PRIVATE_RSA_KEY_SIZE = 2048
 // Password encryption
 const BCRYPT_SALT_SIZE = 10
 
-const USER_PASSWORD_RESET_LIFETIME = 60000 * 5 // 5 minutes
+const USER_PASSWORD_RESET_LIFETIME = 60000 * 60 // 60 minutes
 
 const USER_EMAIL_VERIFY_LIFETIME = 60000 * 60 // 60 minutes
 
diff --git a/server/lib/emailer.ts b/server/lib/emailer.ts
index 523b11d0d..7484524a4 100644
--- a/server/lib/emailer.ts
+++ b/server/lib/emailer.ts
@@ -369,7 +369,7 @@ class Emailer {
   addPasswordResetEmailJob (to: string, resetPasswordUrl: string) {
     const text = `Hi dear user,\n\n` +
       `A reset password procedure for your account ${to} has been requested on ${WEBSERVER.HOST} ` +
-      `Please follow this link to reset it: ${resetPasswordUrl}\n\n` +
+      `Please follow this link to reset it: ${resetPasswordUrl}  (the link will expire within 1 hour)\n\n` +
       `If you are not the person who initiated this request, please ignore this email.\n\n` +
       `Cheers,\n` +
       `${CONFIG.EMAIL.BODY.SIGNATURE}`