When should user invite links (tokens) expire?

Should user invite links expire at all - if so, what would be a good expire time?

That is a question that doesn't have a general answer: it depends on the value of the resource you're protecting, who are the people receiving your invitations, how secure is the channel you use to transmit these invitations and what are the threats you're trying to protect against.

However, generally speaking, never-expiring invitations aren't a very desirable property: in most cases, it doesn't make much sense for someone to accept an invitation 10 years after it's been issued but it does open a (slight) security risk in the sense that very old, but still active, invitations will grow the size of the valid key space in relation of the total key space. In other words: an attacker trying out every potential key has more chance of finding a valid one.

Would it be a good idea to let users "extend" their invite

I can't think of any scenario in which this would be a desirable functionality: it's effectively the same thing as having unlimited lifetime for the invitation except that it's more complex for everyone (developer as well as user).


Consider counting only business days

If you're worried about vacations and holidays, consider excluding weekends and holidays from your counting. This might be difficult if your users are spread across different nations, but I think there's value in counting business days rather than standard days.

Ten business days is three weeks, which should be pretty good for avoiding holidays (unless you're talking about those larger European holidays). Don't try to spell out this policy and how you count days in the email, just say when it'll expire. For users who will send the invitations, say the system supports 12+ days (since you're guaranteed at least non-business days).

Still, as Stephane noted, there is no standard answer for how much time is appropriate. It depends on your users. If counting business days is too cumbersome, just pick a larger number.

Weigh the pros and cons of extending the expiration time.

  • Is there a security risk you're trying to limit?
  • Is it unfair to other users to wait too long?

I strongly suggest against extremely long periods. 20 business days or else 30 calendar days sounds good to me as an upper bound. Anybody on vacation for that long isn't really going to complain about just barely missing the token's window (they'll just ask for a new token).

"Extending" an invitation is nonsensical to me.

  • An informal inquiry for a new invitation should be sufficient
  • Don't advertise that it's possible if you're worried about abuse