2

G'day all,

Does anyone have any experience with the Waterlock flow for passsword resets? I've hit a wall which I can see a work-around for, but it seems really in-elegant, so I'm probably missing something.

When I send through an auth/reset POST with an email element, the system proceeds to shoot the email out as planned.

When I then submit the received link in a POST request, with a password element, I see a "404" response.

HOWEVER

If I submit that link as a GET request first, and then submit the POST it works.

When I look into the waterlock-local-auth source, the reset POST action is testing for the presence of a decrypted token in the request object before allowing it to proceed.

SO

Either I code my front end to send a get request (which doesn't respond properly) and then resubmit as a POST, or I go in and hack the waterlock-local-auth code to include a decode of the token (which is what I'm thinking is the most elegant solution).

Any clues?

Thanks,

Andy

Andy Davison
  • 541
  • 4
  • 13

1 Answers1

1

I have got a similar problem, but I use angularjs as my frontend. This discussion thread is very helpful:

https://github.com/waterlock/waterlock-local-auth/issues/7

Basically, you are expected to submit a GET request to the url received in the password reset email. After you click the link with the token, you will find in your database that a new ResetToken record has been created and the value in the token column is exactly the one you see in the url. Then you should be redirected to the forwardUrl in waterlock.js setting, where there should be a form or anything that can make you post to:

http://yourdomain.com/auth/reset?password=newpassword

Then the password is reset and the ResetToken record will be removed from your database.

If you look at the handlePost function here:

https://github.com/waterlock/waterlock-local-auth/blob/master/lib/controllers/actions/reset.js#L68

This can explain why POSTing to the url sent to you in the reset password email returns 404. The resetToken must exist in session already in order that issuePasswordReset to be invoked. And the only place to set req.session.resetToken is within validateToken method:

https://github.com/waterlock/waterlock-local-auth/blob/master/lib/controllers/actions/reset.js#L188

So you need a get request first. Hope this helps.

afterglowlee
  • 11,670
  • 5
  • 22
  • 23
  • It does, but I still seem to be getting to the post handler with a null token in the session. Currently trying to see why that's the case, and at the same time adding support for recaptcha in the flow... – Andy Davison Feb 23 '16 at 09:09
  • Two questions: (1) have you set the ```tokens``` in ```passwordReset``` to be true? (2) have you upgraded the waterlock and waterlock-local-auth to the latest version (0.1.2-rc1 at the moment) ? The sending email function was broken in the old version. – afterglowlee Feb 23 '16 at 09:59