Do accounts-password email tokens ever expire?

Question

For Accounts.forgotPassword() and Accounts.sendVerificationEmail(), a token is generated.

Does that token ever expire?
If so, after what period of time?

Answer 1

At the moment there is no built-in code that relates to token expiration, neither setting an expiration time nor enforcing it.

The email reset data (token, email and token creation date) is saved in the user's record, as can be seen in the source:

var tokenRecord = {
  token: token,
  email: email,
  when: when
};
Meteor.users.update(userId, {$set: {
  "services.password.reset": tokenRecord
}});

Therefore, the date is in the following mongo selector:

'services.password.reset.when'

Unfortunately, all of the reset data is unset as soon as the resetPassword method is called with the correct token.

This makes it unavailable to the validateLoginAttempt callbacks:

Accounts.validateLoginAttempt(function(options) {
  if (options.methodName === 'resetPassword' && options.allowed === true) {
    console.log('resetPassword', options.user.services.password.reset); //undefined
  }
  return true;
});

Similarly, the email verification token is stored in user.services.email.verificationTokens, which (if set) is an array of token records.

The dates are, therefore, in

'services.email.verificationTokens.when'

You could, however, invalidate old tokens periodically quite easily with this info, or roll your own local fork or wrap of accounts-password.

Answer 2

With the current version of Meteor (1.9), tokens do expire, as you can see here in the code (and I guess it has been the case for quite a long time).

Reset password tokens expire after 3 days, when enroll tokens expire after 30 days

These two parameters are configurable using :

Accounts.config({
    passwordResetTokenExpirationInDays : 10,
    passwordEnrollTokenExpirationInDays : 60,
})