♻️ Expired confirmation tokens are logged and INVITATION tokens do no…

…t expire (#3440)

services/web/server/src/simcore_service_webserver/login/_confirmation.py

@@ -29,12 +29,11 @@ async def validate_confirmation_code(
         {"code": code}
     )
     if confirmation and is_confirmation_expired(cfg, confirmation):
-        log.info(
-            "Confirmation code '%s' %s. Deleting ...",
-            code,
-            "consumed" if confirmation else "expired",
-        )
         await db.delete_confirmation(confirmation)
+        log.warning(
+            "Used expired token [%s]. Deleted from confirmations table.",
+            confirmation,
+        )
         return None
     return confirmation
 
@@ -68,6 +67,10 @@ async def is_confirmation_allowed(
         return True
     if is_confirmation_expired(cfg, confirmation):
         await db.delete_confirmation(confirmation)
+        log.warning(
+            "Used expired token [%s]. Deleted from confirmations table.",
+            confirmation,
+        )
         return True
 
 

services/web/server/src/simcore_service_webserver/login/_registration.py

@@ -80,7 +80,7 @@ async def check_registration(
     confirm: Optional[str],
     db: AsyncpgStorage,
     cfg: LoginOptions,
-):
+) -> None:
     # email : required & formats
     # password: required & secure[min length, ...]
 
@@ -115,6 +115,12 @@ async def check_registration(
             if is_confirmation_expired(cfg, _confirmation):
                 await db.delete_confirmation(_confirmation)
                 await db.delete_user(user)
+                log.warning(
+                    "Time to confirm a registration is overdue. Used expired token [%s]."
+                    "Deleted token from confirmations table and %s from users table.",
+                    _confirmation,
+                    f"{user=}",
+                )
                 return
 
         # If the email is already taken, return a 409 - HTTPConflict

services/web/server/src/simcore_service_webserver/login/settings.py

@@ -1,5 +1,5 @@
 from datetime import timedelta
-from typing import Literal, Optional
+from typing import Final, Literal, Optional
 
 from aiohttp import web
 from pydantic import BaseModel, validator
@@ -10,9 +10,10 @@
 
 from .._constants import APP_SETTINGS_KEY
 
-_DAYS = 1.0  # in days
-_MINUTES = 1.0 / 24.0 / 60.0  # in days
-
+_DAYS: Final[float] = 1.0  # in days
+_MINUTES: Final[float] = 1.0 / 24.0 / 60.0  # in days
+_YEARS: Final[float] = 365 * _DAYS
+_UNLIMITED: Final[float] = 99 * _YEARS
 
 APP_LOGIN_OPTIONS_KEY = f"{__name__}.APP_LOGIN_OPTIONS_KEY"
 
@@ -76,9 +77,9 @@ class LoginOptions(BaseModel):
     SMTP_USERNAME: Optional[str] = Field(...)
     SMTP_PASSWORD: Optional[SecretStr] = Field(...)
 
-    # lifetime limits are in days
+    # NOTE: lifetime limits are expressed in days (use constants above)
     REGISTRATION_CONFIRMATION_LIFETIME: PositiveFloat = 5 * _DAYS
-    INVITATION_CONFIRMATION_LIFETIME: PositiveFloat = 15 * _DAYS
+    INVITATION_CONFIRMATION_LIFETIME: PositiveFloat = _UNLIMITED
     RESET_PASSWORD_CONFIRMATION_LIFETIME: PositiveFloat = 20 * _MINUTES
     CHANGE_EMAIL_CONFIRMATION_LIFETIME: PositiveFloat = 5 * _DAYS
 
@@ -89,7 +90,6 @@ def get_confirmation_lifetime(
         value = getattr(self, f"{action.upper()}_CONFIRMATION_LIFETIME")
         return timedelta(days=value)
 
-    # TODO: translation?
     MSG_LOGGED_IN: str = "You are logged in"
     MSG_LOGGED_OUT: str = "You are logged out"
     MSG_2FA_CODE_SENT: str = "Code sent by SMS to {phone_number}"