Password resets and invites should use consistent expiration strategies

kolide / fleet

A flexible control server for osquery fleets

https://kolide.com/fleet

MIT License

1.1k stars 261 forks source link

Password resets and invites should use consistent expiration strategies #613

Open zwass opened 7 years ago

zwass commented 7 years ago

See https://github.com/kolide/kolide-ose/blob/master/server/service/service_invites.go#L77 and https://github.com/kolide/kolide-ose/blob/master/server/service/service_users.go#L197

groob commented 7 years ago

Another thing here with password resets is that the update timestamps are set by the datastore, but here they're being setup in service. Won't they be overridden by mysql? Question for @murphybytes

zwass commented 7 years ago

Yeah, that's something that we are doing in some places, but it's effectively a noop.

groob commented 7 years ago

I personally prefer the strategy used in invites because it doesn't add an extra field and we already have timestamps we should be relying on for each object. But I agree that we should discuss the merits of both and standardize the implementation.

groob commented 7 years ago

The functional difference is that if you change a config value, the invite token will be considered expired/not expired depending on the config duration. This might be a pro or a con.

Using ExpiredAt is fixed at time of creation.