## Critical Security Flaw: Password Reset Tokens Never Expire in Auth Service
A critical security vulnerability has been identified in an authentication service where password reset tokens have no expiration time. Once generated, these tokens remain valid indefinitely, creating a permanent backdoor for account compromise. This flaw fundamentally undermines the security model of password recovery, as any intercepted or discovered token can be used at any point in the future to take over a user's account.

The vulnerability is present in the token generation and validation logic within the `src/modules/auth/service/auth.service.ts` file. The issue is reproducible: a token requested via the `POST /api/auth/forgot-password` endpoint remains functional days or even years later when used with the `POST /api/auth/reset-password` endpoint. This behavior directly contradicts standard security practices, where such tokens should expire within a short, reasonable time window, typically 15 to 30 minutes.

The implications are severe. Attackers who gain access to a user's email inbox, even temporarily, can use old reset tokens to gain permanent account access. There is currently no mechanism to invalidate outstanding tokens, leaving users perpetually at risk. The discovery note highlights the need for urgent remediation, including setting an appropriate Time-To-Live (TTL), potentially limiting active tokens per user, and implementing a token invalidation strategy.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, authentication, password-reset, software-bug
- **Credibility**: unverified
- **Published**: 2026-04-15 05:22:34
- **ID**: 64920
- **URL**: https://whisperx.ai/en/intel/64920