Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't reset password on self-hosted portal #588

Closed
BobbyCGD opened this issue Apr 23, 2020 · 10 comments · Fixed by #680
Closed

Can't reset password on self-hosted portal #588

BobbyCGD opened this issue Apr 23, 2020 · 10 comments · Fixed by #680
Assignees
@ygrik
Labels
(t) Bug Bug reports (actual behavior is different than the expected behavior).

Comments

@BobbyCGD
Copy link

BobbyCGD commented Apr 23, 2020
edited
Loading

NOT THE SAME AS #587

Bug description

When self-hosting the portal a user is unable to reset their password. The link that gets sent in the email works perfectly well for the managed version of the portal, but not for the self-hosted version.

The developer tools in Chrome show that a request to the management api fails with a 401 Unauthorized error.

Reproduction steps

  1. Go to the homepage
  2. Click on 'Sign In'
  3. Click on 'Forgot your password?'
  4. Fill in and Click 'Request reset'
  5. Open link in email
  6. An error message is displayed 'Activate user error: You're not authorized.' above the form.
  7. Fill in the form with a new password
  8. Click 'Reset' button
  9. A different error message is displayed 'Server error. Unable to send request. Please try again later.'

Expected behavior

The process for resetting a password when using a self-hosted version of the portal is identical to the process in the managed version of the portal.

Is your portal managed or self-hosted?

Self-hosted

Release tag or commit SHA (if using self-hosted version)

commit #578, [43441ba]

Environment

  • Operating system: [Azure Blob Storage]
  • Browser: [Google Chrome]
  • Version: [latest]

Additional context

The email template is configured to generate the link as:

**

https://[portal-url]/confirm-password?$ConfirmQuery

**

I think the bug has been introduced in commit #516 which tried to resolve issue #460.

In particular the first error message is thrown on line 86 in confirm-password.ts. The error message is thrown when the application calls usersService.activateUser(queryParams);

There are several issues with having this functionality in the initialize() method, because the same code tries to handle different cases:

  1. Confirm a user
  2. Reset a user's password

The query parameters are not the same, meaning if the usersService.activateUser was executed successfully the identity will be set to 'null' rendering the user unable to login even if they reset their password. (The identity in this case is the user's login name)

public async activateUser(parameters: URLSearchParams): Promise {
const userId = parameters.get("userid");
const ticket = parameters.get("ticket");
const ticketId = parameters.get("ticketid");
const identity = parameters.get("identity");
const requestUrl = /users/${userId}/identities/Basic/${identity};
const token = Ticket id="${ticketId}",ticket="${ticket}";

    await this.mapiClient.put<void>(requestUrl, [{ name: "Authorization", value: token }], {});
}

The $ConfirmQuery available in the Notification templates in Azure only provides the first three parameters. My guess is that this method should not be called when the user is just trying to reset their password.

The second error message is thrown on line 129 in the confirm-password.ts file. My guess is there is problem with the usersService.updatePassword method. It passes a null object as a header and it makes sense the management API would refuse to accept the request.

public async updatePassword(userId: string, newPassword: string): Promise {
await this.mapiClient.patch(userId, undefined, { password: newPassword });
}
@BobbyCGD
Copy link
Author

@ygrik can you have a look at this please? Thank you :)

@ygrik ygrik added (t) Bug Bug reports (actual behavior is different than the expected behavior). and removed to-triage labels Apr 29, 2020
@guideveloper
Copy link

Has this been resolved please?

@guideveloper
Copy link

UPDATE
I have found a fix for the reset password not working...

In confirm-password.ts
pass in the query parameters to the updatePassword method
const queryParams = new URLSearchParams(location.search); await this.usersService.updatePassword(this.userId, queryParams, this.password());

Then in usersService.updatePassword ad them as headers
public async updatePassword(userId: string, parameters: URLSearchParams, newPassword: string): Promise<void> { const ticket = parameters.get("ticket"); const ticketId = parameters.get("ticketid"); const token = Ticket id="${ticketId}",ticket="${ticket}"; await this.mapiClient.patch(users/${userId}, [{ name: "Authorization", value: token }], { password: newPassword }); }

@giovannaalves
Copy link

giovannaalves commented May 11, 2020
edited
Loading

UPDATE
I have found a fix for the reset password not working...

In confirm-password.ts
pass in the query parameters to the updatePassword method
const queryParams = new URLSearchParams(location.search); await this.usersService.updatePassword(this.userId, queryParams, this.password());

Then in usersService.updatePassword ad them as headers
public async updatePassword(userId: string, parameters: URLSearchParams, newPassword: string): Promise<void> { const ticket = parameters.get("ticket"); const ticketId = parameters.get("ticketid"); const token = Ticket id="${ticketId}",ticket="${ticket}"; await this.mapiClient.patch(users/${userId}, [{ name: "Authorization", value: token }], { password: newPassword }); }

Does this only work for logged in users?
It didn't work for me :(
Do you know how it can work for users who have forgotten their password?

I clicked on the reset link and got the following error: "Error in user activation: You're not authorized to perform this operation."

@guideveloper
Copy link

UPDATE
I have found a fix for the reset password not working...
In confirm-password.ts
pass in the query parameters to the updatePassword method
const queryParams = new URLSearchParams(location.search); await this.usersService.updatePassword(this.userId, queryParams, this.password());
Then in usersService.updatePassword ad them as headers
public async updatePassword(userId: string, parameters: URLSearchParams, newPassword: string): Promise<void> { const ticket = parameters.get("ticket"); const ticketId = parameters.get("ticketid"); const token = Ticket id="${ticketId}",ticket="${ticket}"; await this.mapiClient.patch(users/${userId}, [{ name: "Authorization", value: token }], { password: newPassword }); }

Does this only work for logged in users?
It didn't work for me :(
Do you know how it can work for users who have forgotten their password?

I clicked on the reset link and got the following error: "Error in user activation: You're not authorized to perform this operation."

So this worked for me and no the user isnt logged in

@giovannaalves
Copy link

I had to remove this code from the confirm-password because on load the page, an account confirmation request was being done and a error message was being displayed:

(I use this url for confirm user account: "signup?$ConfirmQuery")

 try {            
            await this.usersService.activateUser(queryParams);
            this.userId = await this.usersService.getCurrentUserId();

            if (!this.userId) {
                throw new Error("User not found.");
            }
        } catch (error) {
            const validationReport: ValidationReport = {
                source: "confirmpassword",
                errors: ["Erro na ativação do usuário: " + error.message]
            };
            this.eventManager.dispatchEvent("onValidationErrors", validationReport);
        }

And I needed to add this on my usersService.updatePassword, because its was coming null :

userId = userId || parameters.get("userid");

Now, its works for me. Thanks @guideveloper!

@BobbyCGD
Copy link
Author

BobbyCGD commented Jun 3, 2020

Hi, @azaslonov and @ygrik

Can we get an update please, I am still expecting an 'official' fix for this.

Thanks

@BobbyCGD
Copy link
Author

BobbyCGD commented Jun 3, 2020

I have resolved this now thank you Craig Smith craig@guideveloper.co.uk https://uk.linkedin.com/in/guideveloper https://uk.linkedin.com/in/guideveloper https://twitter.com/guideveloper https://twitter.com/guideveloper

On 3 Jun 2020, at 09:13, Boris @.***> wrote: Hi, @azaslonov https://github.com/azaslonov and @ygrik https://github.com/ygrik Can we get an update please, I am still expecting an 'official' fix for this. Thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#588 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA6FT6GRFOK5STLIAPSXSYLRUYAY7ANCNFSM4MO6H2FQ.

Can you link to a commit/pull request? When I say 'official' fix I mean I am expecting a fix in the master branch, not a DIY adhoc solution.

@GowthamSrinivasan07
Copy link

Hi Team,
We also get the error like "Activate user error: You're not authorized to perform this operation." in the reset password form and after entering a new password -> clicking reset button -> Error "Server error. Unable to send request. Please try again later." Please confirm whether both the error is the same or not?
The most important thing we not using the self-hosted method we using " Managed developer portal" and add solution for this issue with managed developer portal method

Thanks,
Gowtham S

@ygrik ygrik mentioned this issue Jun 4, 2020
Merged
@ygrik ygrik closed this as completed in #680 Jun 4, 2020
@ygrik
Copy link
Collaborator

ygrik commented Jun 9, 2020

I have resolved this now thank you Craig Smith craig@guideveloper.co.uk https://uk.linkedin.com/in/guideveloper https://uk.linkedin.com/in/guideveloper https://twitter.com/guideveloper https://twitter.com/guideveloper

On 3 Jun 2020, at 09:13, Boris @.***> wrote: Hi, @azaslonov https://github.com/azaslonov and @ygrik https://github.com/ygrik Can we get an update please, I am still expecting an 'official' fix for this. Thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#588 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA6FT6GRFOK5STLIAPSXSYLRUYAY7ANCNFSM4MO6H2FQ.

Can you link to a commit/pull request? When I say 'official' fix I mean I am expecting a fix in the master branch, not a DIY adhoc solution.

f0d7b23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ygrik ygrik

Labels
(t) Bug Bug reports (actual behavior is different than the expected behavior).
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed reset password Azure/api-management-developer-portal
5 participants
@guideveloper @ygrik @BobbyCGD @giovannaalves @GowthamSrinivasan07