Password reset bug: "Your session has expired"

[timothyjensen]

I am encountering a problem when attempting to reset a client's password via the domain.com/client/recover_password page. The pasword reset form accepts the client's email address and emails a password reset link, but after clicking the email link and submitting the new password form, the client is redirected to the domain.com/client/session_expired page and sees the message:

Your session has expired. Please click the link in your email again.

Interestingly the new password does seem to work but obviously this is not a great user experience.

EDIT: I'm running v4.5.5

[passionInfinite]

@timothyjensen Did you kept your screen waiting for more than 4hours?

[turbo124]

This was an issue with v4.5.2, but is resolved in v4.5.4

are you running the latest version?

[timothyjensen]

@passionInfinite No I clicked the link right away.

@turbo124 I was running v4.5.2 before @hillelcoren informed me that it was a known bug and to update to v4.5.4. I went ahead and updated to v4.5.5 and am still having the same problem.

[turbo124]

@timothyjensen i can't recreate the issue unfortunately. are there any additional errors logged in storage/logs/laravel-error.log ?

[timothyjensen]

@turbo124 No there are no relevant errors in the log. I spun up a test Invoice Ninja site with a fresh database, tried several different mail settings, in both FF and Chrome, browser extensions disabled, etc., and still have the problem. If you'd like I can add you as a user to the test install to see if you encounter the same problem.

[turbo124]

yes please, contact@invoiceninja.com

…

On Wed, 3 Oct 2018 at 21:25, Tim Jensen ***@***.***> wrote: @turbo124 <https://github.com/turbo124> No there are no relevant errors in the log. I spun up a test Invoice Ninja site with a fresh database, tried several different mail settings, in both FF and Chrome, browser extensions disabled, etc., and still have the problem. If you'd like I can add you as a user to the test install to see if you encounter the same problem. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2382 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFjtenO3SDiT08ymjB_QFS_96HYiJyYGks5uhJ69gaJpZM4W-jIW> .

[jclg]

I was able to reproduce this issue (version v4.5.5).
After submitting the reset password form (/client/password/reset/{token}), I was redirected to /client/dashboard
This route matches Route::get('client/{contact_key?}', 'ClientPortalController@dashboard') with the middleware auth:client, but I am not authenticated as a client.
In this middleware, the contact is not valid so it returns \Redirect::to('client/session_expired');

I created a PR that should fix this problem by redirecting to /client/login instead of /client/dashboard

[timothyjensen]

@jclg Thanks for taking a look at this issue! Your PR is definitely an improvement over the current experience and now I'm taken to the login screen instead of being shown the session expired error.

I'm not sure if this is the intended behavior, however. Shouldn't the user should be automatically logged in after submitting the form? The /password/reset route does automatically log in the user after password reset, which I think is the preferred user experience.

[jclg]

@timothyjensen You are correct, the user should be automatically logged in after submitting the form. This is the expected behavior in Laravel.

According to the Laravel documentation (https://laravel.com/docs/5.7/passwords#after-resetting-passwords)

After a password is reset, the user will automatically be logged into the application and redirected to...

We can see this here:
https://github.com/laravel/framework/blob/5.4/src/Illuminate/Foundation/Auth/ResetsPasswords.php#L108

We will have to investigate why the client is not automatically logged in.

[micah]

I'm also seeing this behavior, thanks for looking into this!