Forgot Password not resetting the password

247 Posts

Gav Reply #1, 9 years, 11 months ago

Revo 2.2.13

I have the Login snippet set up according to the docs and all seems to run ok, except for the Forgot Password.

Here are the snippet calls in my pages:

The Forgot Password page (id 7):

[[!ForgotPassword? &resetResourceId=`8` &tpl=`lgnForgotPassTpl`]]

Reset Password Handler page (id 8 ):

[[!ResetPassword? &loginResourceId=`6`]]

Login page (id 6);

[[!Login? &loginTpl=`lgnLoginTpl2`
&logoutTpl=`lgnLogoutTpl`
&errTpl=`lgnErrTpl`
&loginResourceId=`9`
&postHooks=`userLandingPage`
&logoutResourceId=`6`
&logoutMsg=`Goodbye!`
]]

The password reset email arrives at the correct address and looks like:

theusername,

To activate your new password, please click on the following link:

http://mydomain/index.php?id=8&lp=NzYxcHdxc2Y%253D&lu=YW5kZXJzb24tcGhhcm0%253D

If successful you can use the following password to login:

Password: 761pwqsf

If you did not request this message, please ignore it.

Thanks,
Site Administrator

(Note the link here is to the handler, not the login page. Is this correct?)

If I click on the link I arrive at the default (Home) page. I click through to the login page (id 6) and try to login with the new password, but it fails with the following message:

The username or password you entered is incorrect. Please check the username, re-type the password, and try again.

I had a look in my database before and after password resets and nothing appears to change (modx_users table). (The original password still works and I can login with that, so def no change in the db).

In my error log, the only entries which may be related to this issue are:

[2014-05-21 09:19:29] (INFO @ /mydomain/index.php) Principal 0 does not have permission to load object of class modDocument with primary key: 9
[2014-05-21 09:19:29] (INFO @ /mydomain/index.php) Principal 0 does not have permission to load object of class modDocument with primary key: 25
[2014-05-21 09:19:29] (INFO @ /mydomain/index.php) Principal 0 does not have permission to load object of class modDocument with primary key: 26
[2014-05-21 09:19:29] (INFO @ /mydomain/index.php) Principal 0 does not have permission to load object of class modDocument with primary key: 5
[2014-05-21 09:19:29] (INFO @ /mydomain/index.php) Principal 0 does not have permission to load object of class modDocument with primary key: 5

(The id of the user is 5, in the modx_users table. Nor sure where the ids 25 and 26 apply to)

I see that there was a bug related to this issue reported back in (http://bugs.modx.com/issues/6658), although my error messages are different, but there is no indication as to whether it has been worked on or fixed.

Any suggestions as to a cause and cure to make my passwords reset?

247 Posts

Gav Reply #2, 9 years, 11 months ago

Can anyone offer any help on this?

247 Posts

Gav Reply #3, 9 years, 10 months ago

C'mon MODx community.... surely someone can spot a dumb mistake in my code somewhere?...

247 Posts

Gav Reply #4, 9 years, 10 months ago

OK, so I'm picking my way through the Login code to see if I can find out what's going wrong.

In /core/components/login/controllers/web/ForgotPassword.php there's a sendPasswordResetEmail() function:

    /**
     * Send an email to the user with a confirmation URL to reset their password at
     * @return void
     */
    public function sendPasswordResetEmail() {
        $fields = $this->dictionary->toArray();
        
        /* generate a password and encode it and the username into the url */
        $password = $this->login->generatePassword();
        $confirmParams = array(
            'lp' => urlencode(base64_encode($password)),
            'lu' => urlencode(base64_encode($fields['username']))
        );
        $confirmUrl = $this->modx->makeUrl($this->getProperty('resetResourceId',1),'',$confirmParams,'full');

        /* set the email properties */
        $emailProperties = $fields;
        $emailProperties['confirmUrl'] = $confirmUrl;
        $emailProperties['password'] = $password;
        $emailProperties['tpl'] = $this->getProperty('emailTpl');
        $emailProperties['tplAlt'] = $this->getProperty('emailTplAlt','');
        $emailProperties['tplType'] = $this->getProperty('emailTplType');

        /* now set new password to cache to prevent middleman attacks */
        $this->modx->cacheManager->set('login/resetpassword/'.$fields['username'],$password);

        $emailSubject = $this->getProperty('emailSubject','');
        $subject = !empty($emailSubject) ? $emailSubject : 
                $this->modx->getOption('login.forgot_password_email_subject',
                                        null,
                                        $this->modx->lexicon('login.forgot_password_email_subject'));
        $this->login->sendEmail($fields['email'],$fields['username'],$subject,$emailProperties);
        $this->emailsSent++;
    }

(I've wrapped line 28 to avoid horiz scrolling)

This all seems to look ok to me. If I clear the entire cache dir, then run through the forgot password procedure in my site, I get the following email:

myusername,
To activate your new password, please click on the following link:
http://mydomain.co.uk/subdir/index.php?id=8&lp=cjB6YnZxNGQ%253P&lu=YW5kZXJzb24tcGhhcm0%253P
If successful you can use the following password to login:
Password: r0zbvr4d
If you did not request this message, please ignore it.
Thanks,
Site Administrator

and in the cache dir I now see the file: /core/cache/default/login/resetpassword/myusername.cache.php, with the following content:

<?php return 'r0zbvq4d';

But I cannot see where the password is saved to the db. Should it be done before the email is sent out, or is it done only when the user clicks the link in the email?

247 Posts

Gav Reply #5, 9 years, 10 months ago

OK, I think I'm sorted. Very simple as always: my Reset Password Handler page, containing the ResetPassword snippet call, was unpublished. Not sure if I got confused by the docs (which now appear relatively straightforward), but I seem to recall thinking that being a handler, the page should operate in the background and not be visible. Wrong.

I think also that I may have done initial tests in the same browser as I was logged into the Manager, which may have bypassed the unplublished status of the page :-(

So to answer my own question: The password is not actually changed in the db until the user clicks on the link in the email and the ResetPassword snippet is called.

For reference, the relevant docs are here:

http://rtfm.modx.com/extras/revo/login/login.forgotpassword

http://rtfm.modx.com/extras/revo/login/login.resetpassword

http://rtfm.modx.com/extras/revo/login/login.tutorials/login.basic-setup#Login.BasicSetup-ResetPasswordHandler%283%29

115 Posts

jimmyjazz Reply #6, 5 years, 3 months ago

Hi Gav, I just had the same problem. I want to thank you for recording in such good detail what your log in issue was and how you solved it.

247 Posts

Gav Reply #7, 5 years, 3 months ago

Hi jimmyjazz,

I have to admit I am impressed by the amount of effort I went to in recording this issue, but I cannot remember anything about it that is not written above. I don't use MODx very much now. I spent so much of my life trying to solve problems such as this, with often unclear documentation or little response here in the forum, that I got a bit burned out with it.

Good luck!