For how long are password tokens valid?

SKevo

Hi, quick question.

I am working on code cleanup for FreeFlarum. I'd like to create a password token, insert it into database and E-Mail user upon forum creation so that they can set their password themselves right away, instead of having FreeFlarum generate a random one for them.

How long are the tokens valid for? Is there a specific duration or are they valid for eternity?

askvortsov

SKevo Looking at https://discuss.flarum.org/d/22642-security-roadmap, seems that these tokens are deleted after 24 hours.

Assuming you have programmatic access to the FreeFlarum databases, you could set up a basic Django app or something that would associate each FreeFlarum site with a unique token, and send those tokens out to users. When they visit the site with those tokens, it would add a password reset token to the applicable FreeFlarum database, and make that link available to the user.

Or to make it even simpler, have a throttled button that will generate a password reset token and send it in an email to the owner of the FreeFlarum forum.

SKevo

askvortsov thanks for quick reply. Yes, I do have access, I just asked because I wanted to know what should we tell users, for how long is the link valid