0

I have been using Google Identity Toolkit (for web) on my site for more than 2 years. Recently I found that the password reset flow is broken. When I try to "Forgot Password", check the recaptcha checkbox and click Continue, I get an error "Request failed. Please try again."

In the console I see this:

[ 28.949s] [identitytoolkit] Error: Invalid JSON string: Password reset email sent successfully.
     Gj @   gitkit.js:254
Ej.addLogRecord @   gitkit.js:254
Zi.log  @   gitkit.js:237
R   @   gitkit.js:254
(anonymous) @   gitkit.js:255
Yc  @   gitkit.js:44
g.dispatchEvent @   gitkit.js:42
tj  @   gitkit.js:247
lj.onReadyStateChangeEntryPoint_    @   gitkit.js:245
lj.onReadyStateChange_  @   gitkit.js:245
XMLHttpRequest.send (async)     
lj.send @   gitkit.js:242
Mj  @   gitkit.js:255
Lj.requestRpEndpoint    @   gitkit.js:256
g.requestRpEndpoint @   gitkit.js:259
(anonymous) @   gitkit.js:4
N   @   gitkit.js:190
Fh  @   gitkit.js:190
Sm  @   gitkit.js:334
(anonymous) @   gitkit.js:335
(anonymous) @   gitkit.js:80
(anonymous) @   gitkit.js:77
Yc  @   gitkit.js:44
g.dispatchEvent @   gitkit.js:42
fd  @   gitkit.js:47
ed.handleClick_ @   gitkit.js:47
Uc  @   gitkit.js:39
Rc  @   gitkit.js:41
Pc.b    @   gitkit.js:37

Even though the error says "email sent successfully", it's not sent. I do not know how long it has been broken for. I only found it yesterday.

I'm using this script:

https://www.gstatic.com/authtoolkit/js/gitkit.js on my web site.

I hope someone from the Gooogle Identity Toolkit team can help on this.

UPDATE 1:

Server side code: 

OobResponse oobResponse = gitkitClient.getOobResponse(request);
OobAction oobAction = oobResponse.getOobAction();

// For DEBUG
logger.info("oobAction : " + oobAction);
String action = request.getParameter("action");
logger.info("action : " + action); // returns null
logger.info("response: " + request.getParameter("response")); // returns a long string
logger.info("responseBody : " + oobResponse.getResponseBody()); // returns {"error": "CAPTCHA_CHECK_FAILED" }
logger.info("email : " + oobResponse.getEmail()); // returns null

// If reset password
if (OobAction.RESET_PASSWORD.equals(oobAction)) {
    Optional<String> forgotPasswordLinkOpt = oobResponse.getOobUrl();               
    String passwordResetLink = forgotPasswordLinkOpt.get();

    sendMailService.sendPasswordResetEmail(oobResponse.getEmail(), passwordResetLink);

    return(oobResponse.getResponseBody());              
}

The oobAction is coming out to be null and therefore the link is not being sent. But action has a value of resetPassword. 'responseBody' is returning {"error": "CAPTCHA_CHECK_FAILED" }. Do I need to do some configuration for the recaptcha string at my end?

I'm using v1.2.7 of gitkitclient from the Maven repo:

https://mvnrepository.com/artifact/com.google.identitytoolkit/gitkitclient

DFB
  • 861
  • 10
  • 25
  • Hey @DFB, password reset is handled server side in GITKit. Can you check what error is getting thrown server side? This doesn't look related to the client side. – bojeil Jun 18 '18 at 17:17
  • @bojeil Thanks for your help. Yes, it's indeed a problem on the server side code, as oobAction is coming out to be null. Can you help me figure out what's wrong? See my updates under "UPDATE 1" header. – DFB Jun 19 '18 at 02:33
  • @bojeil I posted more updates. It could be a problem with recaptcha string. Note that my server is using `appspot.com` domain and client is running on my own custom domain. – DFB Jun 19 '18 at 03:20
  • @bojeil Apparently this was reported for a PHP client as well on this thread but it resolved on its own in that case: https://stackoverflow.com/questions/50691691/cant-reset-users-password-in-google-identity-toolkit-captcha-check-failed – DFB Jun 19 '18 at 06:12
  • Can you provide your project number? – bojeil Jun 19 '18 at 16:48
  • @bojeil Project number is 75259261244. – DFB Jun 20 '18 at 00:32
  • @bojeil Is there any update? Thanks. – DFB Jun 22 '18 at 13:59
  • Hey @DFB, does the POST request look like: {"email": "user@example.com", "captchaResp": "INSERT_CAPTCHA_TOKEN", "userIp": "1.2.3.4", "challenge": "", "requestType": "PASSWORD_RESET"} ? Note the challenge should be empty. – bojeil Jun 26 '18 at 01:58
  • @bojeil I'm seeing 4 parameters in the POST request body: action=resetPassword&email=&challenge&response=. The challenge is indeed empty. – DFB Jun 26 '18 at 04:03
  • Thanks for confirming @DFB. It appears this is a regression bug that affected projects trying to migrate to Firebase. The fix is on the way. – bojeil Jun 26 '18 at 18:25
  • Hey @DFB, we pushed a potential fix. Can you try to check again? – bojeil Jun 26 '18 at 23:54
  • Hello @bojeil I'm still getting the same error. I've tried it after clearing the browser cache, and tried it from 3 different browsers, but it's still the same. Do I need to change anything at my end? Thanks for your help. – DFB Jun 27 '18 at 03:59
  • Hey @DFB, the original issue should be fixed. The OOB code should be getting generated. No errors are appearing on that endpoint for your project. Try to get more information on the errors you are getting. I don't think they are related to the original error. – bojeil Jun 27 '18 at 20:34
  • @bojeil I do see a different problem now. `oobResponse.getResponseBody()` now returns `{"error": "unknown request" }`. This is different from what I was getting earlier `{"error": "CAPTCHA_CHECK_FAILED" }`. `oobAction` is still `null`. `oobResponse.getOobUrl()` returns `Optional.absent()`. – DFB Jun 28 '18 at 01:09
  • Seems like it is hitting this path: https://github.com/google/identity-toolkit-java-client/blob/61dda1aabbd541ad5e431e840fd266bfca5f8a4a/src/main/java/com/google/identitytoolkit/GitkitClient.java#L483 – bojeil Jun 28 '18 at 01:45
  • @bojeil It's working perfectly now. I figured out the problem. I had added `request.getReader()` to parse request parameters for debugging purpose. But as per Oracle's documentation https://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getParameter(java.lang.String) it can interfere with the execution of `request.getParameter()`. After removing `getReader()`, password reset is working well. Thanks so much for helping to resolve this issue. – DFB Jun 28 '18 at 06:00
  • Cool. Really glad it is fixed! – bojeil Jun 28 '18 at 16:42

1 Answers1

0

The issue was fixed by the Google team on the backend without any change from my end. See comments on the original issue for details.

DFB
  • 861
  • 10
  • 25