Issues with password resets

[andro44]

Hi,

I'm having issues with the password reset feature. I use the API to issue a password reset email for my user - request content:
{ "meta": { "email": "[email protected]", "deliver": true } }

The user receives an email with a link that takes him to the password reset page. The user enters a password and clicks Submit, but the action fails every time.
Failed to complete password reset: token has already been used or it has expired

I have reproduced this error on different computers using different email addresses. I am sure, that the token was not used prior to testing nor did I wait long enough for it to expire. Has anyone faced similar issues and if, what was the solution?

Regards, A.

[ezekg]

I can't reproduce this. Are you sure that the user is not requesting multiple password resets? If so, only the reset link in the latest email will work. Requesting a password reset will revoke all previously requested password reset tokens.

[ezekg]

Looking at your request logs — your password reset is failing because when the account is protected, and the user does not yet have a password set, they will not be able to set their initial password. Passwordless users are considered "managed" users, and depending on whether or not the account is protected, they may not have permission to set a password.

To work around this, you may do one of the following:

1. Set a temporary password on the user. You can do this when creating the user, or you can do this after the fact. Once a password has been set, the user is no longer considered "managed" and may reset their password normally.
2. Set the account to unprotected. Though note what this entails — you may want to set all policies to protected to ensure certain actions can't be taken by users, such as license creation or renewal.

In your case, I would recommend setting a password on all users, even if a temporary password. But if that's not possible with your current registration flow, you can set the account to unprotected.

We're currently working on a more fine-grained permission system, which will hopefully get rid of the rather confusing protected/unprotected settings, and allow this type of action to be configurable (e.g. by allowing the user to perform the user.reset-password action, but perhaps disallowing the token.generate action).

But in the interim, I recommend one of the above solutions.

[ezekg]

As a side note — I updated the UI error message in this case. So it now correctly says permission denied, rather than indicating that the token has already been used or that it has expired. Thanks for pointing this out. Passwordless users are relatively new, and the docs still need to be updated in a few places to cover cases like these.

[andro44]

Thanks for the fast reply. I have updated my registration flow so that I set a temporary password when creating a new user.

I have registered a new user, got the email with the password reset link, but it still doesn't work. I get the permission denied error this time. I tried logging in with the new users email and the temporary password I set during registration - it works. As far as I understand I implemented workaround #1, did I miss something?

Regrads, A

[ezekg]

You're right, there was a UI bug here. This should now be resolved.

[andro44]

I can confirm that the issue is resolved. Thank you very much.

Regards, A.