Add maximum lifetime of 30m on password recovery tokens

Fixes https://jira.coreos.com/browse/QS-80

data/model/test/test_user.py

@@ -1,9 +1,30 @@
+from datetime import datetime
+
+import pytest
+
 from mock import patch
 
-from data.model.user import create_user_noverify
+from data.database import EmailConfirmation
+from data.model.user import create_user_noverify, validate_reset_code
+from util.timedeltastring import convert_to_timedelta
 from test.fixtures import *
 
 def test_create_user_with_expiration(initialized_db):
   with patch('data.model.config.app_config', {'DEFAULT_TAG_EXPIRATION': '1h'}):
     user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
     assert user.removed_tag_expiration_s == 60 * 60
+
+@pytest.mark.parametrize('token_lifetime, time_since', [
+  ('1m', '2m'),
+  ('2m', '1m'),
+  ('1h', '1m'),
+])
+def test_validation_code(token_lifetime, time_since, initialized_db):
+  user = create_user_noverify('foobar', 'foo@example.com', email_required=False)
+  created = datetime.now() - convert_to_timedelta(time_since)
+  confirmation = EmailConfirmation.create(user=user, pw_reset=True, created=created)
+
+  with patch('data.model.config.app_config', {'USER_RECOVERY_TOKEN_LIFETIME': token_lifetime}):
+    result = validate_reset_code(confirmation.code)
+    expect_success = convert_to_timedelta(token_lifetime) >= convert_to_timedelta(time_since)
+    assert expect_success == (result is not None)