Password reset / recovery is broken

[k0nsl]

I only tested this on the server hosted by the developers of Rocket.Chat and didn't test it on my own installation.
When requesting a password reset it does send you the e-mail and it is received with no problem. However, once you hit the link in the e-mail (the one looking like this: https://demo.rocket.chat/login/#/reset-password/{long_string}) it won't load the input box which usually asks you for the new password, instead you're taken to the login screen without any apparent error.

This is the output from my developer console:

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[haceru]

I tested on my own installation and it is broken indeed. Same behavior as above, just redirects to the login screen

[bernardoflynn]

Yep I've just followed the docker installation instructions and I'm now locked out :( Forgot password just sends you back to the login screen and Rocket.Chat tells me my admin email or password is wrong (I saved it using a password manager so it can't be wrong)

[mquandalle]

I had the same problem with Wekan, and in my case that was because the routes configuration was done on the client only — and not the server. Not sure if that helps.

[tholu]

+1 Broken here as well.

See here for accessing the mongo database directly when deployed via docker:
#766 (comment)

@bernardoflynn Did you by chance enable email confirmations before being locked out? Then see the referenced comment to restore access.

[tholu]

You can manually generate a password hash like this (replace 'password') and then update the mongo database directly:

#!/usr/bin/env node

var bcrypt = require('bcrypt');
var crypto = require('crypto');
var pwd = 'password';

bcrypt.genSalt(10, function(err, salt) {
    var sha256 = crypto.createHash('sha256').update(pwd).digest('hex');
    bcrypt.hash(sha256, salt, function(err, hash) {
        // Store hash in your password DB. 
        console.log(hash);
    });
});

[graywolf336]

I believe this is also related to email confirmations not working as well, as they use the same url type "#" to state what is happening.

[adrianb88]

@graywolf336
any news/update how to solve the email confirmation issue?

[graywolf336]

@adrianb88 Not yet, if someone else doesn't do it before me this weekend I will take a look

[tholu]

Just tested again with the latest docker image from 29 hours ago (previous was from 11 days ago), problem still there. @graywolf336 Thanks, that would be great!

[jjayala1]

Some of my team lost his password, I update directly the database as suggested by @tholu .

I want to share the steps I used (I installed via composer):

1.- docker exec -it rocketchat_db_1 bash (log in to the container, use the appropiate container name)
2.- mongo (enter in database)
3.- use rocketchat (change to rocketchat database)
4.- db.getCollection('users').find({ username:"Jonh"}) (find _id for user Jonh)
5.- db.getCollection('users').update({_id:"gYvyetq89wtnvEk9K"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } }) (reset John's password to 12345, use the _id obtained in step 4)
6.- quit() (quit mongo)
7.- exit (quit container)

I hope it could be useful