extend the password reset token expiration from 1 hour to 48 hours. this is...

extend the password reset token expiration from 1 hour to 48 hours. this is mostly driven by the fact that new user invites include a password reset and expiring those after 1 hour seems ludicrous.

extend the password reset token expiration from 1 hour to 48 hours. this is...
8e58aec2 · Allen Gilliland · 83a22b73 · 8e58aec2
Commit 8e58aec2 authored 9 years ago by Allen Gilliland
--- a/src/metabase/api/session.clj
+++ b/src/metabase/api/session.clj
@@ -94,8 +94,8 @@
            (when (try (creds/bcrypt-verify token reset_token)
                       (catch Throwable _))

-              ;; check that the reset was triggered within the last 1 HOUR, after that the token is considered expired
-              (checkp (> (* 60 60 1000) (- (System/currentTimeMillis) (or reset_triggered 0)))
+              ;; check that the reset was triggered within the last 48 HOURS, after that the token is considered expired
+              (checkp (> (* 48 60 60 1000) (- (System/currentTimeMillis) (or reset_triggered 0)))
                'password "Reset token has expired")

              (set-user-password user-id password)