Reset Password permission is disabled by default

[yurii-sorokin]

Describe the bug
Reset Password permission is disabled by default. So you can send an email for a password reset but can't actually reset it.

Steps to reproduce the behavior

1. POST /auth/forgot-password { email: 'some@email.com' }
2. POST /auth/reset-password { code: 'codeFromEmail', password: 'newPassword', ... }
3. Receive Forbidden 403

Expected behavior
Password reset successfully.

System

• Node.js version: v14.2.0
• NPM version: 6.14.4
• Strapi version: 3.0.1
• Database: mongodb
• Operating system: MacOs

Additional context
I've debugged a code a little and I guess the issue is related to #5655 (Change Password was renamed to Reset Password) and especially to the following code: https://github.com/strapi/strapi/blob/master/packages/strapi-plugin-users-permissions/services/UsersPermissions.js#L25

Changing changepassword to resetpassword might resolve the issue.

[bsakweson]

To piggyback on this, I also noticed the code is pretty long. Is there any documentations on how to change the code generation to an x digits|characters code. At the moment the code is pretty long e.g 10d36318ef4a96b0b240836f7baa8bcbe340d3b3fe1a075e2e67858efa84f6ed89f5fad6f79290cf64068ec054a925808b46a92cc5c4f986f42f279a1a8a1d64

Cheers.

[bsakweson]

I did some additional research, and it seems as if the issue is with authentication. The code is supposed to be JWT that authenticates a user temporarily with limited access to complete this process. Normally, password reset is done before the user is authenticated which explains why we see the 403 error.

[riyazbhanvadia]

I did some additional research, and it seems as if the issue is with authentication. The code is supposed to be JWT that authenticates a user temporarily with limited access to complete this process. Normally, password reset is done before the user is authenticated which explains why we see the 403 error.

Hi,

I face same issue and i am able to resolve it with below step.

• Go to strapi admin

• Click on Roles&Permission in side menu

• You can see two roles there click on public role

• Scroll down you will see USERS-PERMISSIONS

• Enable reset password checkbox and click Save.

[bsakweson]

That seems to work fine now, thanks for helping out.

Am I the only one who finds the token to be cumbersome, would it be enough for it to be a simple OTP of say 8 digits or something of that nature?

[riyazbhanvadia]

That seems to work fine now, thanks for helping out.

Am I the only one who finds the token to be cumbersome, would it be enough for it to be a simple OTP of say 8 digits or something of that nature?

Best way to reset password is having one time use token. Strapi has done that internally so it is good to use inbuilt API.

[bsakweson]

I am not sure I followed, Strapi has done that internally so it is good to use inbuilt API. What does that mean? Forgive my indulgence, I just started messing with this CMS. I guess what I am trying to say is that it would be challenging for users to input the current code into say a mobile device unless they copy and paste. Whereas a say 8 or six digit code with an expiry time would work just fine.

[riyazbhanvadia]

Strapi has done that internally so it is good to use inbuilt API means Strapi has reset password api so we dont have to do overhead work for user to have reset password. So its best to use strapi inbuilt api.

[bsakweson]

Ah that is what you meant, gotcha. That part definitely works well. Please see my previous riposte, it is updated with more information. In a nutshell, all I am saying is that the token could be much shorter.

[lauriejim]

Thank you for reporting this issue. It's an easy issue to fix.
I will continue to review some PR if someone can have a look to the initialize function oof the users-permissions plugin.
Thank you.

[litehacker]

Yet I have a bad request error.

Version: 3.1.4 (node v12.18.1)

Request:

{
  "email": "useremail@mail.ru"
}

Address:
http://localhost:1337/auth/forgot-password.
Response:

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": {},
    "data": {}
}

Here are settings which I didn't need to change and were by default:

[derrickmehaffy]

Hello!

Can you please create a new GitHub issue by using the GitHub issue template, providing all required information.

Your issue looks related to that topic but it's an old one. Using another thread (GitHub issue) will be able to manage your case.

Thank you and have a good day.

[quyetthang122]

Hi @bsakweson, I am currently looking for a solution to send shorter reset code like 6 digits or OTP sms using firebase. Have you found any solution for it?

Also @richardgrey, you mean strapi has the forgotPassword() api for it, so we have options to customize it? do you have any instructions to change the api flow which help us to customise the reset code from Strapi or using third party code like OTP sms firebase?

[quyetthang122]

Hi @bsakweson, I found a temporary solution that we can customize this line const resetPasswordToken = crypto.randomBytes(64).toString('hex'); in node_modules/strapi-plugin-users-permissions/controllers/Auth.js strapi plugin v3.2.4 core, it's not a recommended way we all knew. I hope it could be a temporary solution at the moment.

[GabrielLiade]

How can I have access to the code from the email ?

[Ejazkhan999]

i have allowed password reset tab still i am not getting access to method.

[alexandrebodin]

Hi @Ejazkhan999 your screenshot shows an invalid URL :) it's repeat /auth/forgot-password twice in the url. And if you want to use reset-password the url is /auth/reset-password :)

[mickhah]

hello. could somebody explain me how to change password for the strapi login? i have checked resetpassword on under user-permissions. but where do i change the password now?

[MattieBelt]

@mickhah these docs should explain you how to implement reset & forgot password: https://strapi.io/documentation/developer-docs/latest/development/plugins/users-permissions.html#forgotten-reset-password