Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password Forget and Reset Password #3872

Closed
Dexus opened this issue Aug 24, 2014 · 27 comments · Fixed by #4490, #4554 or #4604
Closed

Password Forget and Reset Password #3872

Dexus opened this issue Aug 24, 2014 · 27 comments · Fixed by #4490, #4554 or #4604
Labels
bug [triage] something behaving unexpectedly P2 - High [triage] High priority for immediate patch release
Milestone
Current Backlog

Comments

@Dexus
Copy link

Dexus commented Aug 24, 2014

Hey, i have the problem, that i klick on the reset link on my mail.

But if i type my new password an click on "reset password" i allways get "Invalid token".

So i can't use my Ghost Blog now... :(

Use: Linux Server with NodeJS 0.10.31 and Ghost 0.5.0
@Dexus
Copy link
Author

Dexus commented Aug 24, 2014

Same with 0.5.1-1 relase

@sebgie
Copy link
Contributor

sebgie commented Aug 24, 2014

Hi @Dexus and welcome to Ghost!

I'm sorry but I can't reproduce the problem you are describing. Could you please give us more details about how to reproduce the problem. Useful information would include your browser version, what version of Ghost (download, Github, ...) your are using, the exact steps to reproduce the problem, your Linux version, proxy server (Apache, Nginx, ...), ...

@ErisDS
Copy link
Member

ErisDS commented Aug 25, 2014

@Dexus does your email address or password contain non-Latin-standard characters perchance?

@Dexus
Copy link
Author

Dexus commented Aug 26, 2014

@ErisDS no emai only includes "0-9 a-z . @" characters. The password is using characters like "0-9a-zA-Z-.,_:;!".
Now the problem is gone. I dont know i open the link with a other mail client and now it was without error message. Befor i create this issue i had copy the link via console. And now open in Thunderbird/GoogleMail and all works. -.- I must say i have also request many times a new password, so that i get the working link.

@ErisDS
Copy link
Member

ErisDS commented Aug 26, 2014

We should consider any way we can make the tokens more robust when we do #3305, but as it appears to be working now I'm going to close this.

@ErisDS ErisDS closed this as completed Aug 26, 2014
@hugo
Copy link
Contributor

hugo commented Nov 20, 2014

I'm seeing this issue on Ghost 0.5.5, using Mailgun. If I log into the Mailgun interface and copy the link from there, it works fine - Mailgun is encoding your token, which is then not being recognised[0]. Given that your config file suggests Mailgun as a transport layer, I think this needs fixing.

[0] e.g. the url
https://thisishugo.com/ghost/reset/MTQxNjUyOTY4MDcwNnxoZWxsb0B0aGlzaXNodWdvLmNvbXxzamFCbzF0eTlCWGE2eXJ2OFVyRVZvalNJSW15MGdYTjBlNW5tNkNzdEZnPQ==/
gets turned into via Mailgun's tracking redirector
https://thisishugo.com/ghost/reset/MTQxNjUyOTY4MDcwNnxoZWxsb0B0aGlzaXNodWdvLmNvbXxzamFCbzF0eTlCWGE2eXJ2OFVyRVZvalNJSW15MGdYTjBlNW5tNkNzdEZnPQ%3D%3D/

@javorszky
Copy link
Contributor

Hm, yeah, that makes sense. Interesting question though: does base64 encoding the email cause this, or does Mailgun screw it up?

Let me put on my mr. fixit hat... brb.

@hugo
Copy link
Contributor

hugo commented Nov 20, 2014

The issue is that base64 encoding the token string possibly adds = symbols, which are not URL safe.

> encodeURIComponent("=")
"%3D"

Since - is a URL safe symbol but cannot appear in base64, you could simply convert all =s into -s when you send the token to the user, and do the reverse to the submitted token before doing whatever other parsing you do. If you're okay with that fix, I'll send a pull request (although it's so trivial a change you might want to just do it yourself).

@javorszky
Copy link
Contributor

Nah, do it :)

@hugo hugo mentioned this issue Nov 20, 2014
Merged
@Afforess
Copy link

I am still seeing this issue, using a copy of Ghost built from Github as of today's date (git head: f438871) . I am being sent a password reset to a /reset/MTQxNzA1NjU4MDUyMnxia21jYXZveUBnbWFpbC5jb218NTZqM1pkMGZnVnljMVZURkJDNFFUNFVJZWRwSGR6bXo1bHdWcWtoeTVQUT0-/but any time I attempt to change the password it is an invalid token. I also am using Mailgun.

It doesn't seem to be browser related, I tried on both latest Chrome stable and my iPhone Safari browser.

@javorszky
Copy link
Contributor

Will check it out today. I'm flying most of the day, so it might have to wait until tomorrow. If anyone else wants / can take it for a spin, do it :).

@hugo
Copy link
Contributor

hugo commented Nov 26, 2014

  1. replace isn't promiscuous so it was only replacing the initial = if there were two.
  2. validateToken calls generateResetToken and was getting the version with =s. However, fixing that then breaks redirection after the new password is saved. I've spend two hours trying to figure out why and have no clue.

@Dexus
Copy link
Author

Dexus commented Nov 26, 2014

Why you do not trim (=) on generate? And pad if need?
Look https://github.com/RGBboy/urlsafe-base64/blob/master/lib/urlsafe-base64.js

@sebgie
Copy link
Contributor

sebgie commented Nov 26, 2014

Sorry for being too quick on the merge button. I think we have overlooked some special cases here. + and / are also allowed base64 characters and are not escaped atm. After some reading I found this example (https://gist.github.com/jhurliman/1250118) on how to make base64 url safe. Long story short, + and / are encoded as - and _ and padding (=) is removed during transport and added again later. @thisishugo if you have time it would be great if you could rework this part, if not I'll take care of it :).

@ErisDS ErisDS reopened this Nov 27, 2014
@ErisDS ErisDS added bug [triage] something behaving unexpectedly P2 - High [triage] High priority for immediate patch release labels Nov 27, 2014
@ErisDS ErisDS added this to the Current Backlog milestone Nov 27, 2014
@hugo
Copy link
Contributor

hugo commented Nov 27, 2014

I should be able to work on this today.

@ErisDS
Copy link
Member

ErisDS commented Nov 29, 2014

Hi @thisishugo are you still working on this at all?

@hugo
Copy link
Contributor

hugo commented Nov 30, 2014

Unfortunately my laptop died and is with Apple being repaired, so I'm unable to work on this right now, sorry.

Sent from my iPhone

On 29 Nov 2014, at 03:33, Hannah Wolfe [email protected] wrote:

Hi @thisishugo are you still working on this at all?


Reply to this email directly or view it on GitHub.

@ErisDS
Copy link
Member

ErisDS commented Nov 30, 2014

@thisishugo Thanks for letting us know. @sebgie are you ok to pick this up?

@sebgie sebgie mentioned this issue Dec 1, 2014
Merged
sebgie added a commit to sebgie/Ghost that referenced this issue Dec 1, 2014
@sebgie
URL safe base64 encoding
9ddabff 
closes TryGhost#3872
- updated base64 escaping to respect + and \
- updated base64 escaping to remove = during transport
- updated tests
@ErisDS ErisDS reopened this Dec 7, 2014
@ErisDS
Copy link
Member

ErisDS commented Dec 7, 2014

Getting reports from all over that this is still pretty badly broken (forum post). It seems it only works for a very limited set of email addresses.

@ErisDS
Copy link
Member

ErisDS commented Dec 7, 2014

Seems the current issues are with account activation tokens, rather than password reset tokens

@sebgie
Copy link
Contributor

sebgie commented Dec 7, 2014

That's me being a moron. I added the escape mechanisms on the server side but did not update the regex (https://github.com/TryGhost/Ghost/blob/master/core/client/routes/signup.js#L18) that validates the token in admin. The error is reproducible for email addresses that generate a reset token that needs padding (try add / remove chars from the email). I'll try to fix it, if anyone is good at writing Regex feel free to PR.

sebgie added a commit to sebgie/Ghost that referenced this issue Dec 8, 2014
@sebgie
Fix reset token verification
d479b0c 
closes TryGhost#3872
closes TryGhost#4603
- updated regex to work with url safe tokens
@ErisDS ErisDS mentioned this issue Dec 8, 2014
Closed
@sebgie sebgie mentioned this issue Dec 8, 2014
Merged
@JoshWillik
Copy link
Contributor

I'm not sure if this was fixed by v0.5.6, but I'm still seeing this issue in a production blog when inviting a new user. The email is private obviously, but follows the form [email protected]

@ErisDS
Copy link
Member

ErisDS commented Dec 15, 2014

It will be fixed when I push 0.5.7 out ;)

@JoshWillik
Copy link
Contributor

Fantastic, looking forward to the release :)

@JoshWillik
Copy link
Contributor

I'm still seeing this issue in v0.5.7
This was a user DB carried over from 0.5.6, but I revoked and re-sent the invite.
I don't feel totally comfortable sharing the non-working hash & email publicly, could I email it to the devs somehow?

@sebgie
Copy link
Contributor

sebgie commented Dec 16, 2014

@JoshWillik I really thought that we have solved the invitation problem in 0.5.7. I would like to find out what's going wrong. My email is sebastian (at) ghost (dot) org.

@JoshWillik
Copy link
Contributor

I had neglected to rebuild the front-end files when upgrading. Disregard this issue; I apologize for wasting your time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug [triage] something behaving unexpectedly P2 - High [triage] High priority for immediate patch release
Projects
None yet
Milestone
Current Backlog
7 participants
@ErisDS @Afforess @sebgie @javorszky @Dexus @hugo @JoshWillik