Skip to content

fix: add 24h expiry to email verification/registration token#695

Open
nadavosa wants to merge 1 commit into
developfrom
fix/651-verify-token-expiry
Open

fix: add 24h expiry to email verification/registration token#695
nadavosa wants to merge 1 commit into
developfrom
fix/651-verify-token-expiry

Conversation

@nadavosa

@nadavosa nadavosa commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

The verify JWT ({ id, email, type: "verify" }) was signed without expiresIn, making it valid indefinitely. A token embedded in a URL can leak via logs, referrer headers, or browser history — permanent validity was a security risk.

Single change: pass { expiresIn: \${VERIFY_LIFESPAN_MS}` }(24 hours, the constant already defined inconfig/constants.ts) to jwt.signinsendEmailVerification`.

Closes #651

Test plan

  • New test verifies jwt.sign is called with expiresIn: "86400000" (24h in ms)
  • Verification links clicked within 24h still activate the account and allow registration
  • Links older than 24h are rejected with "Invalid or expired registration token." (existing error handling in authByVerifyToken already catches expired JWTs)

🤖 Generated with Claude Code

@nadavosa @claude
fix: add 24h expiry to email verification token
f21aa90 
The verify JWT was signed without expiresIn, making it permanently valid.
Now uses the existing VERIFY_LIFESPAN_MS constant (24h).

Closes #651

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Agent registration: expire the verify/registration token

1 participant

@nadavosa