Suggestion: short lifetime of verification tokens

[SylvainMJC]

Hello,

The lifetime of the verification token varies with the time of the day:

$expiryTimestamp = time() + $this->lifetime;

With this, the value of expiryTimestamp can be increased by up to 11 hours, depending on the time of the day.
I'm unsure if this is to confuse spambots or not, but it kinda defeats the purpose of specifying a lifetime through creating a config/packages/verify_email.yaml config file, as the actual lifetime of the token will always be longer than what we specified.

Maybe this should be optional so the token can have a really short lifespan of one hour instead of sometimes having it increase by 11 hours?

[jrushlow]

Good Morning @SylvainMJC

time() returns the current time in seconds since the Linux Epoch - this is an ever increasing number.
$this->lifetime; is an int which represents a fixed number of seconds - it defaults to 3600 (1 Hour)

When you add the value of $this->lifetime to the result of time() you get a fixed time in the future. In our case, 1 hour into the future.

We currently have an issue in maker bundle symfony/maker-bundle#727 that causes an in valid expiration date from being displayed correctly in generated emails. That referenced issue is for the reset password bundle, but it applies to this bundle as well.

Ultimately the problem comes down to time zones and how we convert the expiration time to a human readable format.

I have this bug at the top of my priorities list and hope to have a fix rolled out in the coming days. Stay tuned for progress!