Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Invites never expire (no TTL on pending tokens) #37

New Issue
Closed
opened 2026-06-09 19:08:42 +00:00 by thatguygriff · 1 comment
thatguygriff commented 2026-06-09 19:08:42 +00:00
Owner
Copy Link
Copy Source

Severity: Low — hardening.

Problem

Pending invite tokens are valid indefinitely (src/Auth/InviteRepository.php); there is no expiry. Token entropy is fine (wp_generate_password(32)), so this is about limiting the window of a leaked/forwarded link.

Fix

Add a TTL (e.g. 7–14 days): store/compare against created_at when resolving a token in findByToken/registration, and treat expired pending invites as invalid. Surface expiry state on the admin invites page.

**Severity: Low** — hardening. ## Problem Pending invite tokens are valid indefinitely ([src/Auth/InviteRepository.php](src/Auth/InviteRepository.php)); there is no expiry. Token entropy is fine (`wp_generate_password(32)`), so this is about limiting the window of a leaked/forwarded link. ## Fix Add a TTL (e.g. 7–14 days): store/compare against `created_at` when resolving a token in `findByToken`/registration, and treat expired pending invites as invalid. Surface expiry state on the admin invites page.
thatguygriff added the security label 2026-06-09 19:08:42 +00:00
thatguygriff commented 2026-06-10 20:17:52 +00:00
Author
Owner
Copy Link
Copy Source

Verified resolved on main (061d09e, PR #38): Invite::EXPIRY_DAYS = 14 — isAcceptable() (pending + not expired) is enforced both when rendering the registration form and again on submit, and the admin Invites page badges expired invites. Further hardened by #41 / PR #43, which stores only the SHA-256 hash of the token at rest. Re-confirmed during the 2026-06-10 security review pass.

Verified resolved on main (061d09e, PR #38): Invite::EXPIRY_DAYS = 14 — isAcceptable() (pending + not expired) is enforced both when rendering the registration form and again on submit, and the admin Invites page badges expired invites. Further hardened by #41 / PR #43, which stores only the SHA-256 hash of the token at rest. Re-confirmed during the 2026-06-10 security review pass.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 enhancement
Extends an existing feature
 feature
New user-facing capability
 payments
Billing, Stripe, receipts, reporting
 security
Security vulnerability or hardening
No Label security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
thatguygriff (James Griffin-Allwood)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Unsupervised/unsupervised-scheduler#37
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?