Password reset link not working

cptblue · August 1, 2024, 1:16pm

Hi

Issue with password reset link not working and just taking the user back to the login page.

Latest version

Invoice plane is running in a subdomain

I have edited htaccess and tried using the subdomain folder and the subdomain address and not having a sub directory at all.

Invoiceplane doesn’t run in a sub directory in the sub domain but if you view the site files then the sub domain does have the sub directory invoicing in the public_html folder.

Any help would be really useful thank you.

UnderDog · August 1, 2024, 3:06pm

I’ll take a look this weekend.
Check your private message

UnderDog · August 2, 2024, 2:43am

So let me clarify for myself:

I’m going to https://invoicing.invoiceplane.co.uk and i see that Login screen of InvoicePlane.

But i forgot my password so i click on 'Forgot Password, correct?

I right now see a screen where i can enter my email address so that sends me my password reset link.

To clarify:
Aren’t you getting an email? Or aren’t you getting a screen: "If your username exists we’ll send you a password reset link

Help me out here, what screen aren’t you getting / seeing?

cptblue · August 2, 2024, 5:00am

Hi thanks for looking into this.

User login screen is fine
Forgot Password page is fine and allows user to enter email
Reset link is fine, sent and received.

When user clicks on link to reset in email that’s a unique link with random text string at the end, it will open that link but revert back to the user login page.
There is no option for the user to choose a new password just to log back in again but they can’t because they’ve forgotten password.

I could set you up a guest account if you wanted to try.

Really appreciate your support, thank you.

UnderDog · August 2, 2024, 5:47am

Great job on the explanation, it helps me understand the situation

UnderDog · August 3, 2024, 12:56pm

I see the problem.
I’ll try to reproduce it locally, so i can fix it.

In the meantime… can you change REMOVE_INDEXPHP=false to REMOVE_INDEXPHP=true in your ipconfig.php

Let’s see if that helps

cptblue · August 5, 2024, 11:15pm

Changed that but it just broke the entire site so changed it back

UnderDog · August 5, 2024, 11:59pm

Can you change it 1 more time and then do the following:

Go to the View source
Look in the header for the .css files
Which is the entire address for the .css file (/ files)

Send it to me in a PM

UnderDog · August 6, 2024, 12:01am

@naui95 could you help with this one, please?

naui95 · August 18, 2024, 1:41pm

Dear @cptblue thank you for the report. I looked into our code and I think you found a real bug. There is in fact a conceptual issue in the token verification code. I will provide a fix for the bug to be included in the next release.

To be sure you are not encountering yet an other issue, can I kindly ask you to share with us the password reset token that is failing? Before sharing with us the password reset token please request a new one in order to invalidate the token you are sharing with us (for your own security).

If you wish to follow the issue, here is the link: Password reset token is not validated correctly · Issue #1070 · InvoicePlane/InvoicePlane · GitHub