Merge pull request #3883 from overleaf/bg-expire-tokens

expire tokens from mongo

GitOrigin-RevId: 5666fd40d04e122f2bc2a22bff24c0723e1e9a73

services/web/app/src/Features/User/UserEmailsConfirmationHandler.js

@@ -7,7 +7,8 @@ const UserUpdater = require('./UserUpdater')
 const UserGetter = require('./UserGetter')
 const { promisify } = require('util')
 
-const ONE_YEAR_IN_S = 365 * 24 * 60 * 60
+// Reject email confirmation tokens after 90 days
+const TOKEN_EXPIRY_IN_S = 90 * 24 * 60 * 60
 
 function sendConfirmationEmail(userId, email, emailTemplate, callback) {
   if (arguments.length === 3) {
@@ -29,7 +30,7 @@ function sendConfirmationEmail(userId, email, emailTemplate, callback) {
   OneTimeTokenHandler.getNewToken(
     'email_confirmation',
     data,
-    { expiresIn: ONE_YEAR_IN_S },
+    { expiresIn: TOKEN_EXPIRY_IN_S },
     function(err, token) {
       if (err) {
         return callback(err)

services/web/test/unit/src/User/UserEmailsConfirmationHandlerTests.js

@@ -70,7 +70,7 @@ describe('UserEmailsConfirmationHandler', function() {
           .calledWith(
             'email_confirmation',
             { user_id: this.user_id, email: this.email },
-            { expiresIn: 365 * 24 * 60 * 60 }
+            { expiresIn: 90 * 24 * 60 * 60 }
           )
           .should.equal(true)
       })