So I am making a website with account activation when registering and this works fine. But the part where I have to send email to reset password doesn't. If I turn the email backend to 'console', It works fine. In the console I get the message with the token link to reset the password. When I turn the email backend to 'smtp' it just doesnt work and I get a long error after I submit the email that the message has to be sent on. Also I don't have a pasword reset view. I don't know if that is the problem.email_SettingsPassword reset formspasswordreset_confirm_htmlpassword_reset_Form_htmlpassword_reset_urlserrorerror location
I tried moddeling a Password reset view. I don't know if the view was right or this does not solve the problem. Also I googled this error but I didnt find something useful. Tried to change some urls.
Related
Good afternoon,
I'm using Cognito hosted ui with some admin methods to configure my authentication flow.
I'd like my users to have the possibility to reset their own passwords using the Forgot your password? link on the hosted ui which works fine. But an administrator should also be able to force reset any user's password.
For that I use the adminResetUserPassword https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html which works fine excepts that it sends a first verification code by email and then when the users returns on the hosted ui page and enters his (right but old) password, he is redirected to /forgotPassword page, is prompted to enter his username (email) and then receive a second verification code.
The first one is then expired. I find it a bit confusing for the user to receive the verification code twice and the first one is never used.
I reckon I need to find a way to redirect my users to /confirmPassword instead of /forgotPassword which re-triggers a new verification code. Is there a way to do this?
Many thanks,
I have a flask application running on a production environment, and one of the user requested a password reset, which sent out an email to them with a link back to the site for resetting the password.
That email got shared with a third-party probably, and the link got exposed. Now the reset request is being spammed from multiple IP addresses. There is a timer I set using the SECURITY_RESET_PASSWORD_WITHIN config parameter to 30 mins and I can see that it does work as intended, the link is invalidated and throws an error saying the link has expired.
But the default behavior of the Flask-Security package is to re-send the reset email to the user if the token has expired when doing a GET request to the reset page with the expired token. So someone can keep spamming that expired link using
GET /reset/token_id
and the user keeps getting sent reset emails.
What is the correct way to handle this situation?
Once the user changes their password, those tokens should be viewed as 'invalid' and then not send emails any more.
G'day all,
Does anyone have any experience with the Waterlock flow for passsword resets? I've hit a wall which I can see a work-around for, but it seems really in-elegant, so I'm probably missing something.
When I send through an auth/reset POST with an email element, the system proceeds to shoot the email out as planned.
When I then submit the received link in a POST request, with a password element, I see a "404" response.
HOWEVER
If I submit that link as a GET request first, and then submit the POST it works.
When I look into the waterlock-local-auth source, the reset POST action is testing for the presence of a decrypted token in the request object before allowing it to proceed.
SO
Either I code my front end to send a get request (which doesn't respond properly) and then resubmit as a POST, or I go in and hack the waterlock-local-auth code to include a decode of the token (which is what I'm thinking is the most elegant solution).
Any clues?
Thanks,
Andy
I have got a similar problem, but I use angularjs as my frontend. This discussion thread is very helpful:
https://github.com/waterlock/waterlock-local-auth/issues/7
Basically, you are expected to submit a GET request to the url received in the password reset email. After you click the link with the token, you will find in your database that a new ResetToken record has been created and the value in the token column is exactly the one you see in the url. Then you should be redirected to the forwardUrl in waterlock.js setting, where there should be a form or anything that can make you post to:
http://yourdomain.com/auth/reset?password=newpassword
Then the password is reset and the ResetToken record will be removed from your database.
If you look at the handlePost function here:
https://github.com/waterlock/waterlock-local-auth/blob/master/lib/controllers/actions/reset.js#L68
This can explain why POSTing to the url sent to you in the reset password email returns 404. The resetToken must exist in session already in order that issuePasswordReset to be invoked. And the only place to set req.session.resetToken is within validateToken method:
https://github.com/waterlock/waterlock-local-auth/blob/master/lib/controllers/actions/reset.js#L188
So you need a get request first. Hope this helps.
The use case:
User makes order his payment gets accepted and his details are getting post to a django's view. Using these details django's view creates user and everything that is necessary (Username and password is provided by me). Then before returning it sends email to clients email with his data (Username and password for now).
But sometimes I get a gateway timeout error from apache(app is deployed on openshift). Because the user is created I assume that the timeout comes from the email sending part. How can I make sure everything went ok and inform the user? How can I make sure that if the email isn't sent I can resend it? What is the best practice at that?
If you have timeouts with an API or Service, you should fire your POST / sendmail request with AJAX...
Serialize the whole form (like jQuery's serialize())
Send that data via AJAX (with jQuery's ajax())
Inform the User of success or error (alert() or jQuery UI dialog)
You can find a lot of examples on this website.
Another "dirty" approach would be to add the attribute target="_blank" to your form tag what opens your lazy request in a new tab / window.
I followed this post How to disable email activation in django-registration app? and made changes to my django-registration code . So even though user is getting registered once I click on submit button , it still gives me an error page saying socket error . That means it is still trying to send the mail , though I have set it to false . How to get rid of this ?
I'm guessing this is in development? rather then turning email off you could try setting the email backend to dummy or file in your settings.py while in debug.
if DEBUG:
EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'