Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Recovery emails / links do not respect token_expiry #9671

Open
fullykubed opened this issue May 9, 2024 · 3 comments
Open

[Bug]: Recovery emails / links do not respect token_expiry #9671

fullykubed opened this issue May 9, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@fullykubed
Copy link

fullykubed commented May 9, 2024
edited

Describe the bug

No way to change token expiration time window from the default 30 minutes.

This is despite the example flows and API documentation stating that the email stage's
token_expiry property should be able to change the token expiry.

To Reproduce

Here is an example stage that demonstrates the issue.

resource "authentik_stage_email" "email" {
  name                     = "example-recovery-email"
  use_global_settings      = true
  activate_user_on_success = true
  token_expiry             = 60
  subject                  = "Reset your ${var.organization_name} account!"
}
  1. Deploy the above and integrate it into a recovery flow.
  2. Try to issue a recovery email or generate a recovery link.
  3. Check the authentik_core_token table. Notice that the expiration time is only 30 minutes in the future.

Expected behavior

The expiration time of tokens should match the configured token_expiry.

Version and Deployment (please complete the following information):

  • authentik version: 2024.4.2
  • Deployment: helm

Additional Context:

It seems weird that token_expiry is on the stage rather than the flow, especially since we can generate recovery links without emails. Perhaps this is just an old property that needs to be deleted? If so, it would be ideal to be able to set expiration windows on recovery links via some other mechanism.
@fullykubed fullykubed added the bug Something isn't working label May 9, 2024
@fullykubed
Copy link
Author

Additional info: Does not matter whether use_global_settings is true or false.

@fullykubed fullykubed mentioned this issue May 9, 2024
Open
2 tasks
@BeryJu
Copy link
Member

BeryJu commented May 9, 2024

From quickly looking through the code I can see how this would happen if the token expires and is rotated (when the token is rotated we currently default to the default expiry value which is 30 minutes)

@fullykubed
Copy link
Author

While I could be confusing terms, I believe the issue we have found is specifically with token creation during the recovery flows.

In other words:

  1. No token / active recovery flow exists for the user
  2. Click create recovery link / send recovery email for the user
  3. Notice that the new token is created in the authentik_core_token table but that it will always have an expiration time 30 minutes in the future regardless of the token_expiry setting.
  4. Validate that after 30 minutes the reset links do not work.

@Netti93 Netti93 mentioned this issue May 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BeryJu @fullykubed