Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Password reset using email is broken #14317

Closed
Twi1ightSparkle opened this issue Oct 28, 2022 · 5 comments
Closed

Password reset using email is broken #14317

Twi1ightSparkle opened this issue Oct 28, 2022 · 5 comments
Assignees
@DMRobertson
Labels
O-Occasional Affects or can be seen by some users regularly or most users rarely S-Critical Blocks development, potential data loss, more than 25% of users possibly affected, no workarounds. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@Twi1ightSparkle
Copy link
Member

Twi1ightSparkle commented Oct 28, 2022
edited
Loading

Description

Resetting your password using email on #/forgot_password is broken

Steps to reproduce

  • Enter your email on #/forgot_password (assuming your account already have a verified email attached)
  • Click the link in the email
    Screen Shot 2022-10-28 at 11 48 49 AM
  • Click I have verified my email address
  • You get the error message Failed to verify email address: make sure you clicked the link in the email
    Screen Shot 2022-10-28 at 11 48 41 AM

Homeserver

matrix.org, <redacted>.ems.host

Synapse Version

Issue present on at least 1.68.0, 1.70.1, and 1.70.1 (b=matrix-org-hotfixes,18a045ba69)

Installation Method

No response

Platform

Matrix.org and EMS

Relevant log output

Will attach to an internal issue

Anything else that would be useful to know?

No response
@TheloTheGreat
Copy link

I also have this problem on 1.64.0.

From looking at my server logs, there seems to be a URL-parsing problem there. The log shows a password reset attempt where the URL has a "sid" parameter just fine, but then it complains that it's "Missing string query parameter 'sid'" and then complains about an "Invalid base64-encoded string":

2022-10-30 15:10:31,414 - synapse.access.http.8008 - 450 - INFO - GET-47717 - 96.127.204.3 - 8008 - {None} Processed request: 0.000sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 706B 200 "GET /_synapse/client/password_reset/email/submit_token?token=JjMMVTFVybkRvlJMJQVUJcLCNiGjTzrV&client_secret=<redacted>&sid=CMNoWHTXFgygOjlE HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0" [0 dbevts]
2022-10-30 15:10:32,007 - synapse.http.server - 234 - INFO - GET-47718 - <XForwardedForRequest at 0x7fd0646b16c0 method='GET' uri='/_synapse/client/password_reset/email/submit_token?client_secret=<redacted>' clientproto='HTTP/1.1' site='8008'> SynapseError: 400 - Missing string query parameter 'sid'
2022-10-30 15:10:32,007 - synapse.access.http.8008 - 450 - INFO - GET-47718 - 157.55.39.113 - 8008 - {None} Processed request: 0.001sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 192B 400 "GET /_synapse/client/password_reset/email/submit_token?client_secret=<redacted> HTTP/1.1" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; MicrosoftPreview/2.0; +https://aka.ms/MicrosoftPreview) Chrome/100.0.4896.127 Safari/537.36" [0 dbevts]
2022-10-30 15:10:33,389 - synapse.access.http.8008 - 450 - INFO - POST-47719 - 96.127.204.3 - 8008 - {None} Processed request: 0.003sec/-0.000sec (0.000sec, 0.001sec) (0.000sec/0.002sec/1) 169B 200 "POST /_synapse/client/password_reset/email/submit_token?token=JjMMVTFVybkRvlJMJQVUJcLCNiGjTzrV&client_secret=<redacted>&sid=CMNoWHTXFgygOjlE HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0" [0 dbevts]
2022-10-30 15:10:40,086 - synapse.api.auth - 450 - WARNING - POST-47721 - Invalid access token in auth: <class 'binascii.Error'> Invalid base64-encoded string: number of data characters (9) cannot be 1 more than a multiple of 4.
2022-10-30 15:10:40,086 - synapse.http.server - 167 - INFO - POST-47721 - <XForwardedForRequest at 0x7fd06c6c92a0 method='POST' uri='/_matrix/client/r0/account/password' clientproto='HTTP/1.1' site='8008'> SynapseError: 401 - Invalid access token passed.
2022-10-30 15:10:40,087 - synapse.access.http.8008 - 450 - INFO - POST-47721 - 96.127.204.3 - 8008 - {None} Processed request: 0.001sec/0.001sec (0.001sec, 0.000sec) (0.000sec/0.000sec/0) 88B 401 "POST /_matrix/client/r0/account/password HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0" [0 dbevts]

@reivilibre reivilibre added S-Critical Blocks development, potential data loss, more than 25% of users possibly affected, no workarounds. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. O-Occasional Affects or can be seen by some users regularly or most users rarely labels Oct 31, 2022
@DMRobertson DMRobertson self-assigned this Oct 31, 2022
@DMRobertson
Copy link
Contributor

DMRobertson commented Oct 31, 2022
edited
Loading

When I try to do this (against a matrix.org account) from https://app.element.io/#/forgot_password, my client ends up calling POST | https://matrix-client.matrix.org/_matrix/client/r0/account/password with Authorization: Bearer undefined. Which smells like a javascript error to me.

Element-web 1.11.12.

@DMRobertson
Copy link
Contributor

This seems to be a client-side issue, covered by element-hq/element-web#23655. I suppose we should have asked someone to test this in a different client.

@DMRobertson DMRobertson closed this as not planned Won't fix, can't repro, duplicate, stale Oct 31, 2022
@Twi1ightSparkle
Copy link
Member Author

🤦‍♀️ I should have tested using !element

@DMRobertson
Copy link
Contributor

No harm done!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@DMRobertson DMRobertson

Labels
O-Occasional Affects or can be seen by some users regularly or most users rarely S-Critical Blocks development, potential data loss, more than 25% of users possibly affected, no workarounds. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TheloTheGreat @DMRobertson @Twi1ightSparkle @reivilibre