Link expiration inoperative unless expiration time explicitly set on config page

I noticed today while testing the expiration feature of the login links (using a purposefully backdated timestamp) that the links would always allow access no matter how old their timestamp was. After some debugging, I found that this was due to the module's call to variable_get on line 630:

$timeout = variable_get('login_one_time_expiry', 86400*14);

The $timeout variable was empty after this call, even though the call to variable_get should set 2 weeks as the default. Perhaps the variable existed in the database but was empty?

Checking the code for the configuration form seems to confirm this:

$form['global']['login_one_time_expiry'] = array(
    '#type' => 'textfield',
    '#title' => t('Link expiry'),
    '#default_value' => variable_get('login_one_time_expiry', ''),
    '#size' => strlen(PHP_INT_MAX),
    '#maxlength' => strlen(PHP_INT_MAX),
    '#description' => t("How long, in seconds, before links expire.  Leave blank to default to two weeks (1,209,600 seconds)."),
  );

Above at line 68 we have:

'#default_value' => variable_get('login_one_time_expiry', ''),

This would seem to set the variable to an empty string when the form was submitted, breaking the expiration check unless someone explicitly sets a timeout value on the config page.

In any case, once I entered a specific timeout value on the config page, the expiration check worked as expected. The instructions on the config page indicate that the field may be left blank for a default of 2 weeks, but this seems to not always be the case.

It seems that changing line 68 would fix this issue:

'#default_value' => variable_get('login_one_time_expiry', 86400*14),

Thanks for an excellent module - I'm using it to generate login links in bulk for around 12,000 users on one of our sites by calling the generation functions from a php script, then allowing the module's menu callbacks to handle authentication.