Skip to content

Password reset link never expires or takes an excessive long time

Summary

Password reset link never expires or takes an excessive long time

Steps to reproduce

  1. Go to the login page.
  2. Click on "Unohditko salasanasi?" to request a password reset.
  3. Enter your email address and submit the request.
  4. Receive the password reset email and click the reset link to confirm it works.

---next steps takes a long time, so it may be worth considering whether reproducing the problem is necessary before adjusting the expiration time. ---

  1. Wait any amount of time (e.g., several hours, days, or even weeks).
  2. Click the same password reset link again.
  3. Observe that the link still allows you to reset your password, regardless of how much time has passed since it was issued.

What is the current bug behavior?

The password reset link remains valid and allows password reset, regardless of how much time has (supposedly) passed since it was generated.

What is the expected correct behavior?

The password reset link should expire after the configured validity period (e.g., 1 hour). After expiration, the link should no longer allow password reset and should display an appropriate error message.

Relevant logs and/or screenshots

No relevant logs.

Possible fixes

Check the backend logic responsible for generating and validating password reset tokens. Ensure that the expiration time is set correctly when the token is created and that it is properly checked when the link is used.