Invalid Confirmation Token

MikeJones

A buddy of mine joined my Flarum and when he clicked his confirmation email he got an error that said invalid confirmation token.

Do these time out if they wait a day or two after registering?

He eventually was able to activate his account after logging in and re-sending the confirmation and it worked the second time.

Would an invalid confirmation token show up in a log? I want to make sure other users are not having the same issues registering on my flarum.

clarkwinkelmann

MikeJones unfortunately I don't think those are logged by Flarum. They might be logged by your webserver though, if you look for GET requests to /confirm/<token> with a 403 response code. Knowing which users were impacted will probably be very complex because I believe expired tokens are deleted once tried, so you will only know how many attempts failed, not which or how many different users are impacted. This will be a good estimate though.

As for the first question yes the tokens expire, but I don't know what's the delay. If it's not written in the email maybe someone can go ahead looking for what it is and add it to the email text, ideally in way that's dynamic if it changes in the future or via an extension.