feat: adds configurable expiration prop for password reset tokens (#…

…9710) ### What? Unable to configure expiration time for the password reset tokens. ### Why? Prior to this change, the expiration time for password reset tokens were defaulted. ### How? Adds new `expiration` prop to `auth.forgotPassword` object which allows for the option to configure the expiration time of password reset tokens.
payloadcms · Dec 4, 2024 · 9bffa09 · 9bffa09
1 parent d118544
commit 9bffa09
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/docs/authentication/email.mdx b/docs/authentication/email.mdx
@@ -111,6 +111,7 @@ The following options are available:
 
 | Option               | Description                                                                                                                                                                                                                         |
 |----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **`expiration`** | Configure how long password reset tokens remain valid, specified in milliseconds. |
 | **`generateEmailHTML`** | Allows for overriding the HTML within emails that are sent to users attempting to reset their password. [More details](#generateEmailHTML). |
 | **`generateEmailSubject`** | Allows for overriding the subject of the email that is sent to users attempting to reset their password. [More details](#generateEmailSubject). |
 

diff --git a/packages/payload/src/auth/operations/forgotPassword.ts b/packages/payload/src/auth/operations/forgotPassword.ts
@@ -136,7 +136,9 @@ export const forgotPasswordOperation = async <TSlug extends CollectionSlug>(
     }
 
     user.resetPasswordToken = token
-    user.resetPasswordExpiration = new Date(expiration || Date.now() + 3600000).toISOString() // 1 hour
+    user.resetPasswordExpiration = new Date(
+      collectionConfig.auth?.forgotPassword?.expiration || expiration || Date.now() + 3600000,
+    ).toISOString() // 1 hour
 
     user = await payload.update({
       id: user.id,

diff --git a/packages/payload/src/auth/types.ts b/packages/payload/src/auth/types.ts
@@ -221,6 +221,7 @@ export interface IncomingAuthType {
    * @link https://payloadcms.com/docs/authentication/email#forgot-password
    */
   forgotPassword?: {
+    expiration?: number
     generateEmailHTML?: GenerateForgotPasswordEmailHTML
     generateEmailSubject?: GenerateForgotPasswordEmailSubject
   }
@@ -279,6 +280,7 @@ export type VerifyConfig = {
 export interface Auth
   extends Omit<DeepRequired<IncomingAuthType>, 'forgotPassword' | 'loginWithUsername' | 'verify'> {
   forgotPassword?: {
+    expiration?: number
     generateEmailHTML?: GenerateForgotPasswordEmailHTML
     generateEmailSubject?: GenerateForgotPasswordEmailSubject
   }