Accessibility: Increase default email validation timeout
#41,915 opened on 2025年8月15日
Repository metrics
- Stars
- (34,398 stars)
- PR merge metrics
- (平均マージ 6d 19h) (30d で 384 merged PRs)
説明
Description
There is a setting under Realm settings -> Tokens, section Action tokens, named User-initiated Action Lifespan, which is by default set to 5 minutes.
Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it is expected that the user would react to a self-created action quickly.
I understand this reasoning, but it ignores some important factors that can make this link expire before the user even received the email, and that risks effectively locking out senior citizens and any other group of people that has trouble performing tasks like these (which are very complicated to them) in under 5 minutes.
- The validation link is sent by mail, but email does NOT offer any delivery guarantees and in many cases e-mails WILL actually take a few minutes before they even arrive
- The email is coming from an untrusted sender (not in contacts), and so may end up in the spam folder. Locating it there is a challenge for many inexperienced computer users, which will take them a few minutes
- The email is coming from an untrusted sender (not in contacts), so many mail clients will actually disable images and links in such emails, by default. Users then have to know how to copy-paste the link into the browser address bar, or how to enable images and links in their mail client
Please raise this timeout to 1 hour at least.
Discussion
No response
Motivation
I respect that security is important, but IMHO the current setting is so overly restrictive for inexperienced users that it creates a very real usability/accessibility issue for large groups of users. These users also are unable to understand what/why it went wrong, making it very complicated for them to even communicate their issue with e.g a helpdesk.
5 minutes really is very, very short. Even banks usually give you at least 10 or 15 minutes.... Because if they don't, grandpas and grandmas keep getting logged out of the system before they are able to submit their transaction. I am a senior developer and even I have found myself in the situation where I was unable to complete the task in time, due to an e-mail or sms just taking too long to arrive, combined with a super short timeout.
IMHO the balance is missing here in this default. Hope you will address it.
Details
Your defaults are locking out people. I think you should know this.
I would suggest a default of one hour here. Maybe even 8 hours... To abuse the link, you need to intercept the email containing it AND use the link before the actual recipient does. Whether the timeout is 5 minutes or 1 hour, unless you as a hacker automate the process of finding links and clicking on them before the user does so, you will probably not be able to beat the user to it. But the other way is also true; it is not that hard to automate that, so if you are indeed able to intercept their email (the harder part I think), clicking the link in it in under 5 minutes will be NO PROBLEM at all for the hacker, while it presents a major, locking out users, hurdle to grandma...