Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't reset password on self-hosted portal

See original GitHub issue

NOT THE SAME AS #587

Bug description

When self-hosting the portal a user is unable to reset their password. The link that gets sent in the email works perfectly well for the managed version of the portal, but not for the self-hosted version.

The developer tools in Chrome show that a request to the management api fails with a 401 Unauthorized error.

Reproduction steps

Go to the homepage
Click on ‘Sign In’
Click on ‘Forgot your password?’
Fill in and Click ‘Request reset’
Open link in email
An error message is displayed ‘Activate user error: You’re not authorized.’ above the form.
Fill in the form with a new password
Click ‘Reset’ button
A different error message is displayed ‘Server error. Unable to send request. Please try again later.’

Expected behavior

The process for resetting a password when using a self-hosted version of the portal is identical to the process in the managed version of the portal.

Is your portal managed or self-hosted?

Self-hosted

Release tag or commit SHA (if using self-hosted version)

commit #578, [43441ba9b2abcc952cfbaa479798d23e79dff25f]

Environment

Operating system: [Azure Blob Storage]
Browser: [Google Chrome]
Version: [latest]

Additional context

The email template is configured to generate the link as:

https://[portal-url]/confirm-password?$ConfirmQuery

I think the bug has been introduced in commit #516 which tried to resolve issue #460.

In particular the first error message is thrown on line 86 in confirm-password.ts. The error message is thrown when the application calls usersService.activateUser(queryParams);

There are several issues with having this functionality in the initialize() method, because the same code tries to handle different cases:

Confirm a user
Reset a user’s password

The query parameters are not the same, meaning if the usersService.activateUser was executed successfully the identity will be set to ‘null’ rendering the user unable to login even if they reset their password. (The identity in this case is the user’s login name)

public async activateUser(parameters: URLSearchParams): Promise<void> { const userId = parameters.get(“userid”); const ticket = parameters.get(“ticket”); const ticketId = parameters.get(“ticketid”); const identity = parameters.get(“identity”); const requestUrl = /users/${userId}/identities/Basic/${identity}; const token = Ticket id="${ticketId}",ticket="${ticket}";
    await this.mapiClient.put<void>(requestUrl, [{ name: "Authorization", value: token }], {});
}

The $ConfirmQuery available in the Notification templates in Azure only provides the first three parameters. My guess is that this method should not be called when the user is just trying to reset their password.

The second error message is thrown on line 129 in the confirm-password.ts file. My guess is there is problem with the usersService.updatePassword method. It passes a null object as a header and it makes sense the management API would refuse to accept the request.

public async updatePassword(userId: string, newPassword: string): Promise<void> { await this.mapiClient.patch(userId, undefined, { password: newPassword }); }

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:10

Top GitHub Comments

3reactions

guidevelopercommented, May 1, 2020

UPDATE I have found a fix for the reset password not working…

In confirm-password.ts pass in the query parameters to the updatePassword method const queryParams = new URLSearchParams(location.search); await this.usersService.updatePassword(this.userId, queryParams, this.password());

Then in usersService.updatePassword ad them as headers public async updatePassword(userId: string, parameters: URLSearchParams, newPassword: string): Promise<void> { const ticket = parameters.get("ticket"); const ticketId = parameters.get("ticketid"); const token = Ticket id=“${ticketId}”,ticket=“${ticket}”; await this.mapiClient.patch(users/${userId}, [{ name: "Authorization", value: token }], { password: newPassword }); }

1reaction

giovannaalvescommented, May 13, 2020

I had to remove this code from the confirm-password because on load the page, an account confirmation request was being done and a error message was being displayed:

(I use this url for confirm user account: “signup?$ConfirmQuery”)

 try {            
            await this.usersService.activateUser(queryParams);
            this.userId = await this.usersService.getCurrentUserId();

            if (!this.userId) {
                throw new Error("User not found.");
            }
        } catch (error) {
            const validationReport: ValidationReport = {
                source: "confirmpassword",
                errors: ["Erro na ativação do usuário: " + error.message]
            };
            this.eventManager.dispatchEvent("onValidationErrors", validationReport);
        }

And I needed to add this on my usersService.updatePassword, because its was coming null :

userId = userId || parameters.get("userid");

Now, its works for me. Thanks @guideveloper!