LT-236: Add expiration time for password reset link

Packages/active-entry/lib/ActiveEntry.js

@@ -361,16 +361,33 @@ ActiveEntry.resetPassword = function(passwordValue, confirmPassword) {
     return;
   }
 
-  Accounts.resetPassword(Session.get('_resetPasswordToken'), passwordValue, function(error) {
+  // Check token is expired
+  Meteor.call('checkResetTokenIsExpired',Session.get('_resetPasswordToken'), function(error, isTokenExpired) {
     if (error) {
-      ActiveEntry.errorMessages.set("resetPassword", error.message);
+      console.log(error.message);
       return;
     }
-    Session.set('_resetPasswordToken', null);
-    // Update last login time
-    Meteor.call("updateLastLoginDate");
-    var ActiveEntryConfig = Session.get('Photonic.ActiveEntry');
-    Router.go(ActiveEntryConfig.signIn.destination);
+
+    if (isTokenExpired) {
+      console.log("Your link is expired");
+      // Go to forgotPassword to create a new reset link
+      ActiveEntry.errorMessages.set("forgotPassword", 'Your link is expired. Please create a new reset link.');
+      Router.go('/forgotPassword');
+      return;
+    }
+
+    Accounts.resetPassword(Session.get('_resetPasswordToken'), passwordValue, function(error) {
+      if (error) {
+        ActiveEntry.errorMessages.set("resetPassword", error.message);
+        return;
+      }
+      Session.set('_resetPasswordToken', null);
+      // Update last login time
+      Meteor.call("updateLastLoginDate");
+      var ActiveEntryConfig = Session.get('Photonic.ActiveEntry');
+      Router.go(ActiveEntryConfig.signIn.destination);
+    });
+
   });
 };
 

Packages/active-entry/server/methods.js

@@ -164,6 +164,26 @@ Meteor.methods({
       return true;
     }
 
+    return false;
+  },
+
+  checkResetTokenIsExpired: function(token) {
+    var user = Meteor.users.findOne({"services.password.reset.token": token});
+    if (!user) {
+      return;
+    }
+    var tokenCreatedTime = user.services.password.reset.when;
+    if (!tokenCreatedTime) {
+        return;
+    }
+    // Token will be expired if created time is over 30 min as default
+    tokenCreatedTime.setTime(tokenCreatedTime.getTime() + 30*60000);
+    if (tokenCreatedTime < new Date()) {
+        // Remove reset token
+        Meteor.users.update({_id: user._id}, {$unset: {'services.password.reset': 1}});
+        return true;
+    }
+
     return false;
   }
 

Packages/lesiontracker/package.js

@@ -238,7 +238,6 @@ Package.onUse(function(api) {
     api.export('Measurements', [ 'client', 'server' ]);
     api.export('Studies', [ 'client', 'server' ]);
     api.export('Timepoints', [ 'client', 'server' ]);
-
     api.export('Reviewers', [ 'client', 'server' ]);
 
 });