We use the same logic for creating accounts without a password and there the 12h is a bit short. Users don't expect that the signup link needs to be clicked within 12h - 7d should be a more expected behavior. Signed-off-by: Morris Jobke <hey@morrisjobke.de>tags/v14.0.0RC2
@@ -187,7 +187,7 @@ class LostController extends Controller { | |||
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid')); | |||
} | |||
if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*12) || | |||
if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*24*7) || | |||
$user->getLastLogin() > $splittedToken[0]) { | |||
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired')); | |||
} |
@@ -584,7 +584,7 @@ class LostControllerTest extends \Test\TestCase { | |||
->with('ValidTokenUser') | |||
->willReturn($this->existingUser); | |||
$this->timeFactory->method('getTime') | |||
->willReturn(55546); | |||
->willReturn(617146); | |||
$this->crypto->method('decrypt') | |||
->with( |