Extend users password reset token TTL to 30 days

[elemdos]

addresses issue where collaborator invitations don't work

Summary

• Bumps users.passwordResetToken.duration in the collections snapshot from 1800s (30 min) to 2592000s (30 days).
• Collaboration invite links (/admin/auth?create=<token>&email=…) reuse PocketBase's password reset token. With a 30-minute TTL, invitees who didn't click immediately hit an expired-token error with no clear recovery path — surfaced as "I can't create my account."

Scope

• Snapshot-only change: only applies to fresh installs. Existing instances keep 1800 and need to update via PocketBase admin (Collections → users → Options → Password reset duration).
• _superusers token TTL is intentionally left at 1800 — admin password resets should stay short-lived.

Test plan

• Fresh install picks up 2592000 on the users collection
• Generate a collaboration link, wait >30 min, confirm it still works
• Existing installs unaffected until manually bumped

Summary by CodeRabbit

• Chores
  • Updated password reset token configuration settings.

[coderabbitai]

📝 Walkthrough

Walkthrough

Single migration file update that increases password reset token duration from 1800 to 2592000 seconds in the _pb_users_auth_ configuration snapshot.

Changes

Password Reset Token Duration Update

Layer / File(s)	Summary
Password reset token duration configuration migrations/1757326533_collections_snapshot.go	Migration updates the _pb_users_auth_ auth configuration to extend passwordResetToken.duration from 1800 (30 minutes) to 2592000 (30 days) seconds.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Time for passwords to rest and reset,
Thirty days now—the better best!
From half an hour to a month so sweet,
Users will find their recovery complete. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and accurately reflects the main change: extending the password reset token TTL from 30 minutes to 30 days.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/invite-token-ttl

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@migrations/1757326533_collections_snapshot.go`:
- Around line 775-776: The migration increases users.passwordResetToken.duration
to 2,592,000s (~30 days) which lengthens the takeover window; revert this to a
short lifetime (e.g. 3600–86400s) for the existing reset token and implement a
separate invite token/flow instead of reusing the passwordResetToken: change the
migrated value for users.passwordResetToken.duration back to a short TTL, and
add a new token/collection/type for invites (used by
user.NewPasswordResetToken()/invite generation and confirmPasswordReset should
only accept the short-lived password reset token for real resets), or introduce
separate handlers so Users.requestPasswordReset/confirmPasswordReset continue to
use the short-lived token while invites use a distinct token/record and
confirmation path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6031fcdd-c7ce-472c-a8bd-92da7eec77fe

📥 Commits

Reviewing files that changed from the base of the PR and between 14bdad2 and fd1006d.

📒 Files selected for processing (1)

• migrations/1757326533_collections_snapshot.go