W
Wasp3w ago
ralph

How long do email verification tokens take to expire?

user getting "Email verification failed, invalid token" after like two hours?
12 Replies
kapa.ai
kapa.ai3w ago
Hi @ralph. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- I'm sorry, but the knowledge sources do not specify the exact expiration time for email verification tokens in Wasp. While there is discussion about token expiration and handling expired tokens, no default duration or configuration for token validity is mentioned in the official documentation or related discussions. If you are experiencing tokens expiring after about two hours, this may be the current default or a project-specific configuration, but I cannot confirm this from the available sources. If you need to adjust the expiration time, you may need to look into your project's configuration or Wasp's source code, as the documentation does not provide explicit guidance on this setting. If you want to allow users to resend verification emails, you might consider implementing a custom action for that purpose, as discussed in community threads, but again, the official docs do not provide a built-in solution for resending verification emails or changing token expiration duration at this time. For more details on the email verification flow, see the Email Verification Flow documentation. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @ralph, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
neogeofun
neogeofun2w ago
@miho I think this is something important that should be in docs. I'd add it but I also don't know the time limit.
toticozeni
toticozeni2w ago
Hey @ralph, email verification tokens are valid for 30 minutes. This is something we should most likely also include in the email verification email itself. I'll open up an issue about it.
toticozeni
toticozeni2w ago
First version of the issue is here: https://github.com/wasp-lang/wasp/issues/3095
GitHub
Add transparecy on how long do access tokens last · Issue #3095 ·...
Currently Wasp is not transparent around token expiration times. Tokens which asynchronously interact with the user should display how long they are valid for. e.g. email verification link should s...
ralph
ralphOP2w ago
nice never had anyone have to open an issue because of me before I feel like such a karen
toticozeni
toticozeni2w ago
Hahahaha, no worries. Each time a user has a problem it probably means something is lacking on our end. We do make sure to record everything which is meaningful. Only downside to this is we record so much that it may take a while to fix everything 😅 . Currently at almost 700 issues.
neogeofun
neogeofun2w ago
@franjo is this the case in prod too, or just dev verifications? If so, is there a way to make it longer? Finally, if someone doesn't verify their email in the allocated time, what happens? To clarify, do we delete the AuthSession associated with registration? If not, what happens when the user returns and tries to register again, since they cannot use the verification token anymore?
toticozeni
toticozeni2w ago
@miho is usually the auth guy, but he is off for 3 weeks now. Email verification duration is the same for all environments. I've checked the source code and we have this comment for signup 
     * 2. If the user is not verified:
     *   - We check when we last sent a verification email and if it was less than X seconds ago,
     *     we don't send another one.
     *   - If it was more than X seconds ago, we delete the user and create a new one.
     *   - This prevents the attacker from creating an account with somebody
     *     else's email address and therefore permanently making that email
     *     address unavailable for later account creation (by real owner).
     * 2. If the user is not verified:
     *   - We check when we last sent a verification email and if it was less than X seconds ago,
     *     we don't send another one.
     *   - If it was more than X seconds ago, we delete the user and create a new one.
     *   - This prevents the attacker from creating an account with somebody
     *     else's email address and therefore permanently making that email
     *     address unavailable for later account creation (by real owner).
You can check the logic for email signup here: https://github.com/wasp-lang/wasp/blob/main/waspc/data/Generator/templates/server/src/auth/providers/email/signup.ts
neogeofun
neogeofun2w ago
Okay, that's reasonable. Seems like I'll only need to figure out how to extend verification time.
toticozeni
toticozeni2w ago
We have 
async function createEmailJWT(email: string): Promise<{ jwtToken: string; }> {
  const jwtToken = await createJWT({ email }, { expiresIn: new TimeSpan(30, "m") });
  return { jwtToken };
}
async function createEmailJWT(email: string): Promise<{ jwtToken: string; }> {
  const jwtToken = await createJWT({ email }, { expiresIn: new TimeSpan(30, "m") });
  return { jwtToken };
}
I don't think this is exposed as configuration. And this is generated code so changing it will not be pernament. This is a good point for auth refactor. We are planning to make the interfaces more onion-like where you can access and configure lower level parts as needed.
toticozeni
toticozeni2w ago
Here is the auth epic: https://github.com/wasp-lang/wasp/issues/2875
GitHub
Improve Auth · Issue #2875 · wasp-lang/wasp
We focus on fundamentals in Must → stuff that enables using and building upon Auth, having Auth be “right”. Stuff in Should then adds upon that. Must Upgrade main deps replace Lucia with our own co...
neogeofun
neogeofun2w ago
Thank you.

Did you find this page helpful?