mongo: store the reset password tokens in a separate collection and use TTL to automatically delete them

[pradel]

Feature request

In the Mongo package, we could store the reset password tokens in a separate collection and use the TTL feature of Mongo to delete them automatically once they expire. Right now if I ask a lot of reset password emails but actually never use them, the user object will never be cleaned and the service.password.reset object will be set to an array containing all the tokens. The tokens are only cleared if a user finish the process currently.

Additional context

This is a breaking change on the database schema.

Also, the same thing can be applied to:

• verify email tokens
• sessions

[sakulstra]

I think that's a good idea :+1: and afaik also what meteor is doing for sessions?

[pradel]

@sakulstra iirc meteor is using an internal setInterval to delete the sessions

[pradel]

https://github.com/meteor/meteor/blob/9343ce2a3e6cfe88d591b827f826ee3241f66b3b/packages/accounts-base/accounts_server.js#L1430

[sakulstra]

You are right with "what meteor does" i meant cleaning up session, but not via TTL - not sure why though 🤔

[pradel]

@sakulstra the sessions are stored as a token saved inside the user object and TTL is not working in such case. If they wanted to use it they would have to move the sessions to a separate collection. I remember reading an issue about this but they said that since it was not causing performance issues there was no point to move it to a separate collection.