- bug fix for the issues https://github.com/meteor/meteor/issues/12077 and https://github.com/meteor/meteor/issues/12074

2026-05-02 03:01:46 -04:00 · 2022-07-13 10:25:49 -04:00
parent 9530de1ac9
commit d17600c7e7
2 changed files with 9 additions and 4 deletions
--- a/packages/accounts-base/accounts_common.js
+++ b/packages/accounts-base/accounts_common.js
@@ -14,6 +14,8 @@ const VALID_CONFIG_KEYS = [
  'ambiguousErrorMessages',
  'bcryptRounds',
  'defaultFieldSelector',
+  'loginTokenExpirationHours',
+  'tokenSequenceLength',
 ];

 /**
@@ -218,6 +220,8 @@ export class AccountsCommon {
   * @param {Number} options.passwordEnrollTokenExpiration The number of milliseconds from when a link to set initial password is sent until token expires and user can't set password with the link anymore. If `passwordEnrollTokenExpirationInDays` is set, it takes precedent.
   * @param {Boolean} options.ambiguousErrorMessages Return ambiguous error messages from login failures to prevent user enumeration. Defaults to false.
   * @param {MongoFieldSpecifier} options.defaultFieldSelector To exclude by default large custom fields from `Meteor.user()` and `Meteor.findUserBy...()` functions when called without a field selector, and all `onLogin`, `onLoginFailure` and `onLogout` callbacks.  Example: `Accounts.config({ defaultFieldSelector: { myBigArray: 0 }})`. Beware when using this. If, for instance, you do not include `email` when excluding the fields, you can have problems with functions like `forgotPassword` that will break because they won't have the required data available. It's recommend that you always keep the fields `_id`, `username`, and `email`.
+   * @param {Number} options.loginTokenExpirationHours When using the package `accounts-2fa`, use this to set the amount of time a token sent is valid. As it's just a number, you can use, for example, 0.5 to make the token valid for just half hour. The default is 1 hour.
+   * @param {Number} options.tokenSequenceLength When using the package `accounts-2fa`, use this to the size of the token sequence generated. The default is 6.
   */
  config(options) {
    // We don't want users to accidentally only call Accounts.config on the
--- a/packages/accounts-passwordless/passwordless_server.js
+++ b/packages/accounts-passwordless/passwordless_server.js
@@ -1,5 +1,5 @@
 import { Accounts } from 'meteor/accounts-base';
-import {getUserById, NonEmptyString, tokenValidator} from './server_utils';
+import { getUserById, NonEmptyString, tokenValidator } from './server_utils';
 import { Random } from 'meteor/random';

 const ONE_HOUR_IN_MILLISECONDS = 60 * 60 * 1000;
@@ -11,11 +11,12 @@ const checkToken = ({ user, sequence, selector }) => {

  const { createdAt, token: userToken } = user.services.passwordless;

+  const { loginTokenExpirationHours = 1 } = Accounts._options || {};
+
  if (
    new Date(
-      createdAt.getTime() +
-        Accounts._options.loginTokenExpirationHours * ONE_HOUR_IN_MILLISECONDS
-    ) >= new Date()
+      createdAt.getTime() + loginTokenExpirationHours * ONE_HOUR_IN_MILLISECONDS
+    ) <= new Date()
  ) {
    result.error = Accounts._handleError('Expired token', false);
  }