Broken password reset on staging #984
Comments
|
@bethschechter looks like you are meeting all the Upper/Lower/Number/Character requirements but the conflict is coming from your username and/or email. Can you provide those combos you tried? |
|
Sure @clash99. It was from the email [email protected] |
|
@clash99 I was having the same problem with user "kate11" |
|
@wonderchook - on the forgotten password page or on the registration page? I'm able to recreate it from the emailed password link but not on the registration page. |
|
@oliverroick - looks like the username and email values aren't getting passed through to the password reset by key page (via email link). I will look at it more tomorrow. |
|
Fixed error message in pull request #986 |
|
I addressed the issue (PR #988) by removing client-side validation from the password reset view. Let me explain: I had a PR ready that adds the user's username and email to the template and enables client-side validation. In this particular case, however, we might open a security hole, when we make the user's credentials public. If someone gets hold of the password reset link, they will get the username associated with the account and the new password, i.e. all information necessary to hijack the account. I checked back with @amplifi, and we decided to move validation entirely to the back-end for this view because it's too risky. |
Steps to reproduce the error
Actual behavior
I would expect this would result in a successful reset.
Expected behavior
I did not get to reset my password. Instead, I got the error messages shown in the image below.
In addition to refreshing multiple times and clicking the link again from my inbox, none of the following passwords worked:
QWErty123$%^
QwErTy1@3$5^
M00C0wmaps123
MMM@@@pppsss123
The text was updated successfully, but these errors were encountered: