Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Invalid reset password token " #758

Closed
macfire opened this issue Feb 24, 2023 · 6 comments
Closed

"Invalid reset password token " #758

macfire opened this issue Feb 24, 2023 · 6 comments

Comments

@macfire
Copy link

macfire commented Feb 24, 2023
edited
Loading

Issue:
When arriving at "/reset" page by clicking on the link provided in the email received to reset password, the following error is received: "Invalid reset password token"

Can anyone direct me where to start troubleshooting?

  • Flask==2.23
  • Flask-Security-Too==5.1.0
  • Flask-Login==0.62
  • flask-mailman==0.30
  • flask-mongoengine==1.0.0
  • mongoengine==0.26.0

Thanks for any help.
@jwag956
Copy link
Collaborator

jwag956 commented Feb 25, 2023

Let's start with what the url is that you were redirected to i.e. xxx/reset/???

Also a bit of info on your configuration would help

@macfire
Copy link
Author

macfire commented Feb 27, 2023
edited
Loading

The site has been in use for several years, but hasn't been maintained.
It uses Flask-Security, and I am attempting to upgrade using the newer Flask-Security-Too package.

I just checked and see that SECURITY_PASSWORD_HASH is set to sha512_crypt.
In reviewing the current examples, I see the argon2 appears to be recommended (or required.) I will test that next.

How is the token generated?
Maybe another package/library that needs to be updated?

@jwag956
Copy link
Collaborator

jwag956 commented Feb 27, 2023

A basic question - make absolutely sure you removed the old flask_security package and then install the flask-security-too package (make sure the directory in site-packages is empty).

sha512_crypt is fine - in the past few years, argon2 has received lots of enthusiastic support.

The token is generated using the itsdangerous package.

That error means that either the 'user' that is looked up with the contents of the token doesn't exist OR something wrong with the token.

I assume you have updated your database models to include the fs_uniquifier in the User model and have made sure you populated that field for any existing records.

@jwag956 jwag956 closed this as completed Mar 8, 2023
@macfire
Copy link
Author

macfire commented Mar 15, 2023
edited
Loading

@jwag956 , thanks for your suggestions.

I'm encountering the same issue on another site where I'm upgrade from Flask-Security to Flask-Security-Too, and went through the checklist:

  • the new user field "fs_uniquifier" is added
  • the old flask-security files are removed
  • the User does exists
  • "fs_uniquifier" IS POPULATED <--- This was the error. I filled field with random text and it works.

@jwag956
Copy link
Collaborator

jwag956 commented Mar 16, 2023

Glad that worked - 'random text' isn't a great idea :-) It is critical that every user have a UNIQUE fs_uniquifier.

Check out the migration tips:
https://flask-security-too.readthedocs.io/en/stable/changelog.html#id25

@macfire
Copy link
Author

macfire commented Mar 16, 2023

Yes, 'random text' is not a great idea; but in the case I was just using to troubleshoot locally.

The link to the change log is a big help. Thanks.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jwag956 @macfire