Bug #21828
closedPassword Reset "Your password reset link appears to be invalid."
0%
Description
A user on the help desk, brucenyc, reporting a password reset issue He wrote:
attempted to log in on 1/21/25 at 1:27 p.m. My IP address is 74.64.137.103. I received this error message:
"Error: Your password reset link appears to be invalid. Please request a new link below."
I tried the second method of going directly to /wp-admin/ page directly but could not log in.
in #21801 Boone asked: clarify (if you know) exactly what the user did to see this message? Did they try to reset their password, or is this what they saw after an attempt to log in?
I am pretty sure this is happening when users actually try to reset their password, not just login.
Another user reports:
I forgot my Academic Commons password and have tried using the reset system a few times. I receive a message in my email inbox with a link, but when I click on the link, I get a page that says the link doesn't work.
Same user a followup message:
This is the message I get when I try to reset my password. It leads me back to request a password reset which leads me to this message, etc. etc.
Reset Password https://commons.gc.cuny.edu/wp-login.php?action=lostpassword&error=invalidkey#
Please enter your username or email address. You will receive an email message with instructions on how to reset your password.
Error: Your password reset link appears to be invalid. Please request a new link below.
If you are unable to log in and have trouble using the 'Lost your password?' link below, please contact the CUNY Academic Commons team at commonshelpsite@gmail.com for assistance.
I am adding marilyn as a watcher because due to the number of tickets we have gotten about this just today, I think this is a migration issue and not just a user error issue.
Files
Updated by Boone Gorges 3 months ago
So far I have been unable to reproduce the issue. Here's a walkthrough of what I'm doing. See also the attached gif.
1. Visited home page, logged out
2. Clicked Login button, leading me to https://commons.gc.cuny.edu/wp-login.php
3. Clicked "Lost your password?", which took me to https://commons.gc.cuny.edu/wp-login.php?action=lostpassword
4. Filled in my username and clicked 'Get New Password'
5. I received an email with a 'Reset Password' link that has the format https://commons.gc.cuny.edu/wp-login.php?action=rp&key=xxxxxxxxxxxxxxxxxxxx&login=boonetest, where the xxxxx section is a unique key
6. I was led back to a page with a URL of the format: https://commons.gc.cuny.edu/wp-login.php?action=rp. Note that the key and and login are stripped from the URL at this point, as WP has already verified them and redirected me
7. I selected a new password and saved changes, which led me to https://commons.gc.cuny.edu/wp-login.php?action=resetpass, a success screen
Piecing together what I'm hearing, something is failing around 5 and 6. The user is getting the email, but when clicking, the user isn't redirected to the reset screen, but instead gets a message about an invalid key. I'm attaching a screenshot of what that page looks like.
It could be that something is happening with multiple redirects, which might invalidate the key in the background. I'll try to reproduce and investigate further, but if anyone could verify that my interpretation is correct, it would be a helpful start. Or if anyone can reliably reproduce, that would also be helpful.
Updated by Colin McDonald 3 months ago
I have followed Boone's steps and seen the same things that he is seeing.
Updated by Boone Gorges 3 months ago
- Status changed from New to Testing Required
- Target version set to 2.5.1
I figured out the bug. It's unrelated to Reclaim or caching. It's a bug I introduced in the changes related to the 2.5 release. See #21409. In that ticket I used the 'send_retrieve_password_email' hook in WP. The second param passed to that hook is called $user_login. So, when I built the password reset key for our custom email, I trusted that it was, you know, the user_login. But it turns out that this is actually the raw value provided by the user in the 'Username or email address' field. If a user passed their user_login, then the reset worked fine. But if they passed their email address, then the key hash logic failed. I've made a change so that I actually use the user_login value from the WP_User object: https://github.com/cuny-academic-commons/cac/commit/7ac1c8cce58756929758defe8adc97bd954ba2b4
You can confirm on the production server by going through the password reset flow using an email address.
Updated by Colin McDonald 3 months ago
I was able to go through the pw reset flow with an email address on production. Glad we found it!
Updated by Boone Gorges 3 months ago
- Category name set to Password Reset
- Status changed from Testing Required to Resolved
Very good, thanks. I'm tentatively closing this. Marilyn, Laurie, and others - please reopen with details if you get more reports of the same, though I don't think you will.
Updated by Laurie Hurson 3 months ago
Thanks for sussing this out! Great to hear you were able to track down the issue. Will let you know if we get any other tickets that seem related to this issue.
Updated by Laurie Hurson about 1 month ago
Hi All,
I have another report of this happening. From the user:
"it sticks me in a hopeless “reset password” loop and tries to regenerate a new password for me every time I try to login and doesn’t accept the password that I have either set or tried to set. I’ve tried letting it do that, I’ve tried using the password manager that I use for everything (including all other CUNY sites): 1Password, and I’ve tried entering my own homegrown password."
User: https://commons.gc.cuny.edu/members/mjrobinson/activity/
I am going to advise her to clear her cache and try again but if there is anything else I should suggest she do, please let me know.
Thanks!
Updated by Boone Gorges about 1 month ago
Sorry to hear that the user is experiencing issues. It's not clear to me that it's precisely the same problem, but I will need more details. I'm unclear what the following means: " tries to regenerate a new password for me every time I try to login". I'm not aware of a login flow in WP where you're prompted to enter a new password. Could I please get specific instructions on how to reproduce? What URLs do I visit, what do I click, what emails should I receive, etc?
Updated by Laurie Hurson about 1 month ago
- File 0 lost pw .png 0 lost pw .png added
- File 1 click lost pw.png 1 click lost pw.png added
- File 2 pw reset email.png 2 pw reset email.png added
- File 3 set new or generate pw.png 3 set new or generate pw.png added
I just went through the flow. After clicking "lost my password" (Screenshot0) I am taken to pw reset screen(Screenshot1). Once I input username it sends me an email (Screenshot2)and I am taken to a screen to set my new PW or generate one (Screenshot3). I think Screenshot3 UX is what she was referring to - even once she has reset her pw she is taken to the screen to set or generate a new pw. Not sure about this and will ask her to confirm, but that was my understanding.
Updated by Boone Gorges about 1 month ago
Thanks very much for the screenshots. The flow you've described makes sense, but when I follow it, I'm able to successfully logged in. Starting from your screenshot 3:
4. Enter a password, or accept the one suggested by WP (doesn't matter) but make sure you copy it
5. Click 'Save Password'
6. You see a confirmation screen, with a link to log in. Click that link
7. Use username and new password to log in
Again, I tested this flow, and it seems to be working for me. If this is indeed what the user is attempting, it's important to know exactly where in the process it's failing. Are they able to get through each step of this, but when entering new credentials in step 7, they get an 'invalid password' error? Details, screenshots, error messages might help us to narrow down the issue.
Updated by Laurie Hurson about 1 month ago
Thanks Boone, I am also able to easily rest my password and log in.
I think this may have something to do with the fact that this is likely the first time this person is visiting or logging into the Commons post-migration. From what I can tell across tickets, a user encounters these issues during the first log in attempt post-migration and then, once they get in, they are unable to reproduce the issue after they have successfully logged in one time. At least, that seemed to be what was happening with most folks when this issue initially emerged right after the migration.
I asked her to clear cache and try another browser and to document the process along the way. Will keep you posted.