I believe not having tokens expire after a certain period of is a security gap. I found no functionality available to do this even though token objects are stored with a timestamp, so I'd like to suggest having something available as follows:
var tokenRecord = _.find(user.services.email.verificationTokens,
function (t) {
return t.token == token;
});
if (!tokenRecord)
return {
userId: user._id,
error: new Meteor.Error(403, "Verify email link expired")
};
var emailsRecord = _.find(user.emails, function (e) {
return e.address == tokenRecord.address;
});
if (!emailsRecord)
return {
userId: user._id,
error: new Meteor.Error(403, "Verify email link is for unknown address")
};
//if the config is set run the time check
if (!!ett) {
let tokenTime = tokenRecord.when.valueOf();
let functionTime = timeNow.valueOf();
let expMinutes = ett*60000;
let expired = (( functionTime - tokenTime) > expMinutes);
//if the difference between token creation and now is greater
//than the minutes set, pull the record and return an error.
if (expired) {
Meteor.users.update(
{_id: user._id,
'emails.address': tokenRecord.address},
{$pull: {'services.email.verificationTokens': {address: tokenRecord.address}}});
return {
userId: user._id,
error: new Meteor.Error(403, "Verify email link expired")
};
}
}
// By including the address in the query, we can use 'emails.$' in the
// modifier to get a reference to the specific object in the emails
// array. See
// http://www.mongodb.org/display/DOCS/Updating/#Updating-The%24positionaloperator)
// http://www.mongodb.org/display/DOCS/Updating#Updating-%24pull
Meteor.users.update(
{_id: user._id,
'emails.address': tokenRecord.address},
{$set: {'emails.$.verified': true},
$pull: {'services.email.verificationTokens': {address: tokenRecord.address}}});
return {userId: user._id};
}
My first post, hope it's useful.