starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:53:00 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

[PR #855] [MERGED] fix: for one-time access tokens and signup tokens, pass TTLs instead of absolute expiration date #587

New Issue
Closed
opened 2025-10-08 00:13:24 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-08 00:13:24 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/855
Author: @ItalyPaleAle
Created: 8/20/2025
Status: Merged
Merged: 8/22/2025
Merged by: @stonith404

Base: mainHead: fix-804

📝 Commits (5)

  • adce7a7 fix: for one-time access tokens, pass TTLs instead of absolute expiration date
  • cdb3c22 Merge branch 'main' into fix-804
  • 97380c2 Move validation object to a custom validator
  • 2db0bc8 Use TTL logic for signup tokens too
  • 31a9909 Merge branch 'main' into fix-804

📊 Changes

12 files changed (+204 additions, -69 deletions)

View changed files

📝 backend/internal/cmds/one_time_access_token.go (+1 -1)
📝 backend/internal/controller/user_controller.go (+26 -4)
📝 backend/internal/dto/signup_token_dto.go (+3 -4)
📝 backend/internal/dto/user_dto.go (+4 -4)
📝 backend/internal/dto/validations.go (+28 -15)
📝 backend/internal/service/user_service.go (+23 -24)
backend/internal/utils/json_util.go (+42 -0)
backend/internal/utils/json_util_test.go (+64 -0)
📝 frontend/src/lib/components/one-time-link-modal.svelte (+4 -6)
📝 frontend/src/lib/components/signup/signup-token-modal.svelte (+1 -2)
📝 frontend/src/lib/services/user-service.ts (+6 -6)
📝 frontend/src/routes/settings/account/login-code-modal.svelte (+2 -3)

📄 Description

Fixes #804

We perform computations on expiration times on the server, which means that:

  1. If there's a clock drift with the client, it doesn't change the length of the token (see #804)
  2. We don't need to trust what the client says. Users won't be allowed to create tokens for themselves that last longer than 15 mins.

Also, enforces a maximum TTL, server-side, of 31 days, even for people making direct API calls (the UI was not allowing more than 30 days already)

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/855 **Author:** [@ItalyPaleAle](https://github.com/ItalyPaleAle) **Created:** 8/20/2025 **Status:** ✅ Merged **Merged:** 8/22/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `main` ← **Head:** `fix-804` --- ### 📝 Commits (5) - [`adce7a7`](https://github.com/pocket-id/pocket-id/commit/adce7a7007aef79cfeaad93648928cbaadc1c9a6) fix: for one-time access tokens, pass TTLs instead of absolute expiration date - [`cdb3c22`](https://github.com/pocket-id/pocket-id/commit/cdb3c22956afac73ad6ffe001a645b2488c4562c) Merge branch 'main' into fix-804 - [`97380c2`](https://github.com/pocket-id/pocket-id/commit/97380c29cd337e510c99025692cf811799b87db2) Move validation object to a custom validator - [`2db0bc8`](https://github.com/pocket-id/pocket-id/commit/2db0bc8e4f4e0c12c781d77d37f019109fa6fbcd) Use TTL logic for signup tokens too - [`31a9909`](https://github.com/pocket-id/pocket-id/commit/31a9909b98e847a3268236ed43ed9eb8442d5d87) Merge branch 'main' into fix-804 ### 📊 Changes **12 files changed** (+204 additions, -69 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/cmds/one_time_access_token.go` (+1 -1) 📝 `backend/internal/controller/user_controller.go` (+26 -4) 📝 `backend/internal/dto/signup_token_dto.go` (+3 -4) 📝 `backend/internal/dto/user_dto.go` (+4 -4) 📝 `backend/internal/dto/validations.go` (+28 -15) 📝 `backend/internal/service/user_service.go` (+23 -24) ➕ `backend/internal/utils/json_util.go` (+42 -0) ➕ `backend/internal/utils/json_util_test.go` (+64 -0) 📝 `frontend/src/lib/components/one-time-link-modal.svelte` (+4 -6) 📝 `frontend/src/lib/components/signup/signup-token-modal.svelte` (+1 -2) 📝 `frontend/src/lib/services/user-service.ts` (+6 -6) 📝 `frontend/src/routes/settings/account/login-code-modal.svelte` (+2 -3) </details> ### 📄 Description Fixes #804 We perform computations on expiration times on the server, which means that: 1. If there's a clock drift with the client, it doesn't change the length of the token (see #804) 2. We don't need to trust what the client says. Users won't be allowed to create tokens for themselves that last longer than 15 mins. Also, enforces a maximum TTL, server-side, of 31 days, even for people making direct API calls (the UI was not allowing more than 30 days already) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2025-10-08 00:13:25 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#587
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?