Incorrect expiration date validation for _perishable_token_expires_at #9935
Description
New Issue Checklist
- Report security issues confidentially.
- Any contribution is under this license.
- Before posting search existing issues.
Issue Description
Token lookup uses inverted expiry comparator and lacks Auth.maintenance/limit.
- _perishable_token_expires_at should be greater than “now” for a valid token.
- Use Auth.maintenance like the email path for consistency.
- Limit results to 1.
Apply:
- userResults = await req.config.database.find('_User', {
- _perishable_token: token,
- _perishable_token_expires_at: { $lt: Parse._encode(new Date()) },
- });
+ userResults = await req.config.database.find(
+ '_User',
+ {
+ _perishable_token: token,
+ _perishable_token_expires_at: { $gt: Parse._encode(new Date()) },
+ },
+ { limit: 1 },
+ Auth.maintenance(req.config)
+ );🤖 Prompt for AI Agents
In src/Routers/UsersRouter.js around lines 454 to 471, the token lookup query
uses the wrong expiry comparator and is missing the same options as the email
path; change the _perishable_token_expires_at check to $gt Parse._encode(new
Date()) so only unexpired tokens match, and call req.config.database.find with
the same options as the email branch: pass { limit: 1 } and
Auth.maintenance(req.config) as the query options so the lookup is limited to
one result and runs under maintenance context.
Reported by @coderabbitai