Resetting password requires a verified account?

[mdodell]

I am trying to incorporate rodauth-rails with UUIDs, but I'm having issues with allowing users to reset passwords. For context, I have a fairly simple migration to enable UUIDs:

class EnableUuid < ActiveRecord::Migration[7.1]
  def change
    enable_extension 'pgcrypto'
  end
end

Then I have my rodauth-rails migration:

class CreateRodauth < ActiveRecord::Migration[7.1]
  def change
    enable_extension 'citext'

    create_table :accounts, id: :uuid do |t|
      t.integer :status, null: false, default: 1
      t.citext :email, null: false
      t.index :email, unique: true, where: 'status IN (1, 2)'
      t.string :password_hash
    end

    # Used by the password reset feature
    create_table :account_password_reset_keys, id: :uuid do |t|
      t.foreign_key :accounts, column: :id
      t.string :key, null: false
      t.datetime :deadline, null: false
      t.datetime :email_last_sent, null: false, default: -> { 'CURRENT_TIMESTAMP' }
    end

    # Used by the account verification feature
    create_table :account_verification_keys, id: :uuid do |t|
      t.foreign_key :accounts, column: :id
      t.string :key, null: false
      t.datetime :requested_at, null: false, default: -> { 'CURRENT_TIMESTAMP' }
      t.datetime :email_last_sent, null: false, default: -> { 'CURRENT_TIMESTAMP' }
    end

    # Used by the verify login change feature
    create_table :account_login_change_keys, id: :uuid do |t|
      t.foreign_key :accounts, column: :id
      t.string :key, null: false
      t.string :login, null: false
      t.datetime :deadline, null: false
    end
  end
end

Everything so far is working as intended - creating accounts, verifying passwords, logging in, logging out, and closing accounts.

However, my reset password key only works for verified accounts. My repo can be found here, which just has a minimal reproduction of this issue. The issue seems to be that verified accounts will allow you to reset the password with the sent email, but then the key from the sent email for unverified accounts results in a 401. Do accounts need to be verified in order for the password to be reset? Is there a parameter that can be turned off? I didn't find anything in the Rodauth docs.

[janko]

Just to check first, did you change convert_token_id_to_integer? from true to false when switching to UUIDs?

Other than that, it makes sense to me that only verified accounts are able to rest their password, though in that case they shouldn't be able to request a reset either. I haven't looked at what checks on account status Rodauth makes exactly.

[mdodell]

@janko I did! I should've copied over my rodauth_main.rb, but its fairly standard.

My thinking is that a user could make an account, and potentially forget to verify. I know I have done that before in apps I've used. I don't see a reason why they wouldn't be able to reset their password if not verified. That action/the key is still sent to the user's email. I also would expect the request to fail upon sending to reset-password-request if verification was required, as I could then perhaps include some logic to maybe send a reverify request if the error message was due to lack of verification.

[janko]

I looked now, and Rodauth does prevent unverified accounts from requesting a password reset (code), and it also asserts that the account retrieved from the reset password token is verified (code). So, something else must be going on in your application. On failed password reset request you should be able to redirect to the page for resending account verification email:

class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    set_error_reason { |reason| @error_reason = reason }
  end

  attr_reader :error_reason
end

<!-- app/views/rodauth/reset_password_request.html.erb -->
<!-- ... -->
<% if rodauth.error_reason == :unverified_account %>
  <%= form_with url: rodauth.verify_account_resend_path, method: :post do |form| %>
    <%= form.hidden_field rodauth.login_param, value: params[rodauth.login_param] %>
    <%= form.submit "Resend verification email" %>
  <% end %>
<% end %>

The following self-contained example shows that Rodauth requires account to be verified on password reset request:

Code

require "rodauth"
require "sequel"
require "mail"

Mail.defaults { delivery_method :test }

DB = Sequel.sqlite
DB.create_table :accounts do
  primary_key :id
  Integer :status_id, null: false, default: 1
  String :email, null: false
  String :password_hash
end
DB.create_table :account_verification_keys do
  foreign_key :id, :accounts, primary_key: true
  String :key, null: false
  DateTime :requested_at, null: false, default: Sequel::CURRENT_TIMESTAMP
  DateTime :email_last_sent, null: false, default: Sequel::CURRENT_TIMESTAMP
end
DB.create_table :account_password_reset_keys do
  foreign_key :id, :accounts, primary_key: true
  String :key, null: false
  DateTime :deadline, null: false
  DateTime :email_last_sent, null: false, default: Sequel::CURRENT_TIMESTAMP
end

rodauth = Rodauth.lib do
  enable :create_account, :verify_account, :reset_password
  domain "example.com"
  account_password_hash_column :password_hash
  set_deadline_values? true
end

rodauth.create_account(login: "user@example.com", password: "secret123")
rodauth.reset_password_request(login: "user@example.com")

[mdodell]

I don't know if that is actually the case with this gem. Here is what I did to recreate this:
1.) Created a basic Rails 7 API only app rails new rodauth-reset-issue -d postgresql --api
2.) Installed rodauth, following the exact implementation (without UUIDs) for a JSON API using Cookies.
3.) Made a POST request to create-account, and then to reset-password-request with the same email.

I created a very basic app, which can be cloned here that reproduces this issue. The only thing I did was modify the password_confirm_param in Rodauth.

You can also see some Rails logs here from running it. I was able to make a POST request to create-account, and immediately make a POST request to reset-password-request:

Started POST "/create-account" for ::1 at 2024-04-01 19:58:38 -0400
  ActiveRecord::SchemaMigration Load (1.0ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
Processing by RodauthApp#call as */*
  Parameters: {"email"=>"hello@test.com", "password"=>"[FILTERED]", "confirm_password"=>"[FILTERED]"}
  Sequel (0.2ms)  SELECT CAST(current_setting('server_version_num') AS integer) AS v
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (2.9ms)  SELECT * FROM "accounts" WHERE (("email" = 'hello@test.com') AND ("status" IN (1, 2))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.2ms)  BEGIN
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.4ms)  SAVEPOINT active_record_1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (2.7ms)  SELECT "pg_attribute"."attname" AS "pk" FROM "pg_class", "pg_attribute", "pg_index", "pg_namespace" WHERE (("pg_class"."oid" = "pg_attribute"."attrelid") AND ("pg_class"."relnamespace" = "pg_namespace"."oid") AND ("pg_class"."oid" = "pg_index"."indrelid") AND ("pg_index"."indkey"[0] = "pg_attribute"."attnum") AND ("pg_index"."indisprimary" = 't') AND ("pg_class"."oid" = CAST(CAST('"accounts"' AS regclass) AS oid))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (1.6ms)  INSERT INTO "accounts" ("email", "status", "password_hash") VALUES ('hello@test.com', 1, '$2a$12$/rs8kGGr0lg7PgzPfc3QmejIUH9VruHexSZ1nMaeLq93NGdTW04uG') RETURNING "id"
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.1ms)  RELEASE SAVEPOINT active_record_1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (6.7ms)  SELECT 1 AS "one" FROM "account_verification_keys" WHERE ("id" = 1) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.1ms)  SAVEPOINT active_record_1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (0.6ms)  SELECT "pg_attribute"."attname" AS "pk" FROM "pg_class", "pg_attribute", "pg_index", "pg_namespace" WHERE (("pg_class"."oid" = "pg_attribute"."attrelid") AND ("pg_class"."relnamespace" = "pg_namespace"."oid") AND ("pg_class"."oid" = "pg_index"."indrelid") AND ("pg_index"."indkey"[0] = "pg_attribute"."attnum") AND ("pg_index"."indisprimary" = 't') AND ("pg_class"."oid" = CAST(CAST('"account_verification_keys"' AS regclass) AS oid))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (1.0ms)  INSERT INTO "account_verification_keys" ("id", "key") VALUES (1, 'aiIx2gY_zachQaNhsJ9hKwM8Yi7pEd1H8pth3HJkNmc') RETURNING "id"
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.1ms)  RELEASE SAVEPOINT active_record_1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (1.1ms)  SELECT 1 AS "one" FROM "account_verification_keys" WHERE (("id" = 1) AND ((CAST("requested_at" AS timestamp) + make_interval(secs := 86400)) > CURRENT_TIMESTAMP)) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.6ms)  COMMIT
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: a2049786-aaa5-46ee-ba37-807a2c98aeee) to Async(default) with arguments: "RodauthMailer", "verify_account", "deliver_now", {:args=>[nil, 1, "aiIx2gY_zachQaNhsJ9hKwM8Yi7pEd1H8pth3HJkNmc"]}
[ActiveJob] ↳ app/misc/rodauth_main.rb:100:in `block (3 levels) in <class:RodauthMain>'
Completed 200 OK in 290ms (ActiveRecord: 35.7ms | Allocations: 23541)


[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee] Performing ActionMailer::MailDeliveryJob (Job ID: a2049786-aaa5-46ee-ba37-807a2c98aeee) from Async(default) enqueued at 2024-04-01T23:58:38.761722000Z with arguments: "RodauthMailer", "verify_account", "deliver_now", {:args=>[nil, 1, "aiIx2gY_zachQaNhsJ9hKwM8Yi7pEd1H8pth3HJkNmc"]}
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee]   Sequel (0.3ms)  SELECT * FROM "accounts" WHERE ("id" = 1) LIMIT 1
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee]   ↳ app/mailers/rodauth_mailer.rb:58:in `block in rodauth'
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee]   Rendering layout layouts/mailer.text.erb
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee]   Rendering rodauth_mailer/verify_account.text.erb within layouts/mailer
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee]   Rendered rodauth_mailer/verify_account.text.erb within layouts/mailer (Duration: 0.3ms | Allocations: 322)
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee]   Rendered layout layouts/mailer.text.erb (Duration: 0.5ms | Allocations: 557)
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee] RodauthMailer#verify_account: processed outbound mail in 41.7ms
Started POST "/reset-password-request" for ::1 at 2024-04-01 19:58:40 -0400
Processing by RodauthApp#call as */*
  Parameters: {"email"=>"hello@test.com"}
  Sequel (3.1ms)  SELECT * FROM "accounts" WHERE (("email" = 'hello@test.com') AND ("status" IN (1, 2))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (0.9ms)  SELECT 1 AS "one" FROM "account_verification_keys" WHERE (("id" = 1) AND ((CAST("requested_at" AS timestamp) + make_interval(secs := 86400)) > CURRENT_TIMESTAMP)) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (4.9ms)  SELECT "email_last_sent" FROM "account_password_reset_keys" WHERE ("id" = 1) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.1ms)  BEGIN
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (3.4ms)  DELETE FROM "account_password_reset_keys" WHERE (("id" = 1) AND (CURRENT_TIMESTAMP > "deadline"))
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (0.8ms)  SELECT "key" FROM "account_password_reset_keys" WHERE ("id" = 1) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.1ms)  SAVEPOINT active_record_1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (2.4ms)  SELECT "pg_attribute"."attname" AS "pk" FROM "pg_class", "pg_attribute", "pg_index", "pg_namespace" WHERE (("pg_class"."oid" = "pg_attribute"."attrelid") AND ("pg_class"."relnamespace" = "pg_namespace"."oid") AND ("pg_class"."oid" = "pg_index"."indrelid") AND ("pg_index"."indkey"[0] = "pg_attribute"."attnum") AND ("pg_index"."indisprimary" = 't') AND ("pg_class"."oid" = CAST(CAST('"account_password_reset_keys"' AS regclass) AS oid))) LIMIT 1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  Sequel (0.9ms)  INSERT INTO "account_password_reset_keys" ("id", "key", "deadline") VALUES (1, 'QZaFwcBn_CwikxIJh6xusDadhBX3oCI54uo_0dGiNMc', (CAST(CURRENT_TIMESTAMP AS timestamp) + make_interval(days := 1))) RETURNING "id"
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.1ms)  RELEASE SAVEPOINT active_record_1
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
  TRANSACTION (0.6ms)  COMMIT
  ↳ app/misc/rodauth_app.rb:11:in `block in <class:RodauthApp>'
[ActiveJob] Enqueued ActionMailer::MailDeliveryJob (Job ID: 3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9) to Async(default) with arguments: "RodauthMailer", "reset_password", "deliver_now", {:args=>[nil, 1, "QZaFwcBn_CwikxIJh6xusDadhBX3oCI54uo_0dGiNMc"]}
[ActiveJob] ↳ app/misc/rodauth_main.rb:100:in `block (3 levels) in <class:RodauthMain>'
Completed 200 OK in 58ms (ActiveRecord: 23.5ms | Allocations: 15070)


[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9] Performing ActionMailer::MailDeliveryJob (Job ID: 3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9) from Async(default) enqueued at 2024-04-01T23:58:40.838735000Z with arguments: "RodauthMailer", "reset_password", "deliver_now", {:args=>[nil, 1, "QZaFwcBn_CwikxIJh6xusDadhBX3oCI54uo_0dGiNMc"]}
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9]   Sequel (0.3ms)  SELECT * FROM "accounts" WHERE ("id" = 1) LIMIT 1
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9]   ↳ app/mailers/rodauth_mailer.rb:58:in `block in rodauth'
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9]   Rendering layout layouts/mailer.text.erb
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9]   Rendering rodauth_mailer/reset_password.text.erb within layouts/mailer
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9]   Rendered rodauth_mailer/reset_password.text.erb within layouts/mailer (Duration: 0.4ms | Allocations: 202)
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9]   Rendered layout layouts/mailer.text.erb (Duration: 0.5ms | Allocations: 301)
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9] RodauthMailer#reset_password: processed outbound mail in 4.7ms
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee] Delivered mail 660b4a2ec658f_43db2c60874c6@Mitchells-MacBook-Pro.local.mail (2592.0ms)
[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee] Date: Mon, 01 Apr 2024 19:58:38 -0400
From: webmaster@localhost
To: hello@test.com
Message-ID: <660b4a2ec658f_43db2c60874c6@Mitchells-MacBook-Pro.local.mail>
Subject: Verify Account
Mime-Version: 1.0
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

Someone has created an account with this email address.  If you did not create
this account, please ignore this message.  If you created this account, please go to
http://localhost:3000/verify-account?key=1_KxMKi87DcYhtgTl0Q5f0YUb820Lp9sqUexesKcjdXQ8
to verify the account.


[ActiveJob] [ActionMailer::MailDeliveryJob] [a2049786-aaa5-46ee-ba37-807a2c98aeee] Performed ActionMailer::MailDeliveryJob (Job ID: a2049786-aaa5-46ee-ba37-807a2c98aeee) from Async(default) in 2637.1ms
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9] Delivered mail 660b4a30cfcb8_43db2e048752d@Mitchells-MacBook-Pro.local.mail (1618.7ms)
[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9] Date: Mon, 01 Apr 2024 19:58:40 -0400
From: webmaster@localhost
To: hello@test.com
Message-ID: <660b4a30cfcb8_43db2e048752d@Mitchells-MacBook-Pro.local.mail>
Subject: Reset Password
Mime-Version: 1.0
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

Someone has requested a password reset for the account with this email
address.  If you did not request a password reset, please ignore this
message.  If you requested a password reset, please go to
http://localhost:3000/reset-password?key=1_Y2HKVMnCw4nBBCHqA0lvWtMJttVvDMUCXgAWUMt9N0k
to reset the password for the account.


[ActiveJob] [ActionMailer::MailDeliveryJob] [3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9] Performed ActionMailer::MailDeliveryJob (Job ID: 3e7e0a2c-a343-4f4b-9a9e-819f10da4eb9) from Async(default) in 1624.59ms

[janko]

If you're using the verify_account_grace_period feature, then the account is temporarily considered verified for some time after registration. In this example application, are you also able to reset the password, or do you get the unverified response?