AI built your password reset. You get the email, the link works, you shipped. What you actually shipped hands out reset tokens that are guessable and never expire.
What you shipped
The token comes from Math.random() (not cryptographically random) and is saved with no expiry. It’s predictable, and it stays valid forever.
How anyone exploits it
Math.random() is predictable, so an attacker can narrow down or brute-force valid tokens. And because tokens never expire, every reset link ever issued still works — one leaked link is permanent account access.
Why you won’t catch it
You request a reset, click your own link, it works. The weakness is in how the token is generated and that it never dies — neither of which a normal test inspects.
Why AI does it
Math.random() is the obvious way to “make a random string,” and adding an expiry is extra bookkeeping the happy path doesn’t need. Both shortcuts are invisible when you test your own reset.
The fix
Use a cryptographically secure token and set an expiry:
const token = crypto.randomBytes(32).toString('hex') // + expires in 1h
Invalidate the token after one use.
Check your app
- Reset/verification tokens use
crypto.randomBytes, neverMath.random. - Tokens expire (e.g. 1 hour) and are single-use.
- Old tokens are invalidated when a new one is issued.
The bigger problem
A senior dev catches this by reflex. But if nobody senior reads the code, the broken version ships — it works in every test, because every test takes the happy path. The author and the reviewer are the same model with the same blind spot.
That’s the gap Velify is built to close: it reads your project and flags exactly this, in plain language, no terminal.