fix: for one-time access tokens and signup tokens, pass TTLs instead of absolute expiration date (#855)

2026-02-14 17:37:27 +00:00 · 2025-08-21 23:02:56 -07:00
parent 49f0fa423c
commit 7ab0fd3028
12 changed files with 205 additions and 70 deletions
--- a/backend/internal/dto/signup_token_dto.go
+++ b/backend/internal/dto/signup_token_dto.go
@@ -1,14 +1,13 @@
 package dto

 import (
-	"time"
-
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type SignupTokenCreateDto struct {
-	ExpiresAt  time.Time `json:"expiresAt" binding:"required"`
-	UsageLimit int       `json:"usageLimit" binding:"required,min=1,max=100"`
+	TTL        utils.JSONDuration `json:"ttl" binding:"required,ttl"`
+	UsageLimit int                `json:"usageLimit" binding:"required,min=1,max=100"`
 }

 type SignupTokenDto struct {
--- a/backend/internal/dto/user_dto.go
+++ b/backend/internal/dto/user_dto.go
@@ -1,7 +1,7 @@
 package dto

 import (
-	"time"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type UserDto struct {
@@ -30,8 +30,8 @@ type UserCreateDto struct {
 }

 type OneTimeAccessTokenCreateDto struct {
-	UserID    string    `json:"userId"`
-	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+	UserID string             `json:"userId"`
+	TTL    utils.JSONDuration `json:"ttl" binding:"ttl"`
 }

 type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
@@ -40,7 +40,7 @@ type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
 }

 type OneTimeAccessEmailAsAdminDto struct {
-	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+	TTL utils.JSONDuration `json:"ttl" binding:"ttl"`
 }

 type UserUpdateUserGroupDto struct {
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -1,29 +1,42 @@
 package dto

 import (
-	"log/slog"
-	"os"
 	"regexp"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"

 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
 )

-// [a-zA-Z0-9]      : The username must start with an alphanumeric character
-// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
-// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
-var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$")
-
-var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
-	return validateUsernameRegex.MatchString(fl.Field().String())
-}
-
 func init() {
-	v, _ := binding.Validator.Engine().(*validator.Validate)
-	err := v.RegisterValidation("username", validateUsername)
+	v := binding.Validator.Engine().(*validator.Validate)
+
+	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
+	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
+	// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
+	var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$")
+
+	// Maximum allowed value for TTLs
+	const maxTTL = 31 * 24 * time.Hour
+
+	// Errors here are development-time ones
+	err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
+		return validateUsernameRegex.MatchString(fl.Field().String())
+	})
 	if err != nil {
-		slog.Error("Failed to register custom validation", slog.Any("error", err))
-		os.Exit(1)
-		return
+		panic("Failed to register custom validation for username: " + err.Error())
+	}
+	err = v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
+		ttl, ok := fl.Field().Interface().(utils.JSONDuration)
+		if !ok {
+			return false
+		}
+		// Allow zero, which means the field wasn't set
+		return ttl.Duration == 0 || ttl.Duration > time.Second && ttl.Duration <= maxTTL
+	})
+	if err != nil {
+		panic("Failed to register custom validation for ttl: " + err.Error())
 	}
 }