SCM

[#313271] Lost password feature fails

View Trackers | bugs | Export CSV

[#313271] Lost password feature fails

Submitted by:
Christoph Haas (haas)
Date Submitted:
2011-08-04 19:56
Date Closed:
2014-02-18 08:42
status:
Assigned to:
Nicolas Dandrimont (olasd)
Priority:
3
Summary*:
Lost password feature fails

Detailed description
Just tried to recover a lost password. I get the email. I get pointed to the URL. I grab the password shown on the resulting page. But that password does not work.

Add A Comment: Notepad

Followups: Sort comments antichronologically

Message
Date: 2011-08-10 23:50
Sender: Asheesh Laroia

I think this works. I just tried it.

Can you give it a fresh shot?
Date: 2011-08-12 21:33
Sender: Christoph Haas

I think I found the problem. Imagine you sign up but do not react to the first activation email that debexpo sends you. (I had that problem here with a misconfigured mail server.) Then you try to recover your lost password and debexpo will generate a new password for you. Unfortunately even if you confirm and use the new password your account is still not activated. With the current state you can never again sign up with that email address or recover the password to get a working account.
Date: 2011-08-13 09:16
Sender: Martijn van Brummelen

If I select it normally with my mouse it goes fine. If I tripple click(select line) it with my mouse I get a extra space added, then it doesn't work.
Right mouse click copy paste also works.
Date: 2011-08-13 11:21
Sender: Christoph Haas

Okay, I just tried it again. My actions:

- check out Git
- create and activate virtualenv
- paster setup-app development.ini (fresh SQLite3 database)
- paster serve --reload development.ini
- paster serve development.ini
- visited http://localhost:5000
- signed up for a new account
- received an activation email but ignored it
- clicked on "Login"
- clicked on "Try resetting your password"
- entered my email address. saw "Okay! You should now get an email with a link. Click the link.".
- Received an email "You requested a password reset" and clicked on the link in the email
- the web site showed me the new password: c1eb0698d8
- clicked on "Login" again
- entered email address and c1eb0698d8 as password
- got a login failure

This is my user entry in the database:

INSERT INTO "users" VALUES(1,'Christoph Haas','email@chr...',NULL,NULL,'bdc57abf457613c50fa5edff07f6db84','2011-08-13 13:13:35.730236',1,1,NULL,NULL,NULL,'9223e9dcb219602b0071774282f4880e');

Conclusion: no, does not work
Date: 2012-07-12 01:47
Sender: Pablo Duboue

I can confirm the bug still exists as of commit c415055d0e6daecbc1f79408e8facdd8653b452e
and can be reproduced with the actions described above.
Date: 2012-07-12 02:48
Sender: Pablo Duboue

And now, for something really interesting, I can no longer reproduce the bug.

First, password_recovery.py:112 contains the line

u.verification = None # This sets the user's email address as "confirmed"

which should fix this bug.

The following patch removed the observed behavior:

--- a/debexpo/controllers/login.py
+++ b/debexpo/controllers/login.py
@@ -70,6 +70,7 @@ class LoginController(BaseController):
"""
log.debug('Form validated successfully')
password = debexpo.lib.utils.hash_it(self.form_result['password'])
+ log.debug('Password hash: ' + password)

u = None
try:
diff --git a/debexpo/controllers/password_recover.py b/debexpo/controllers/password_recover.py
index 0aa9ec5..9a58d64 100644
--- a/debexpo/controllers/password_recover.py
+++ b/debexpo/controllers/password_recover.py
@@ -108,6 +108,8 @@ class PasswordRecoverController(BaseController):
# FIXME: We should not set u.password directly. Instead, we should
# use a helper from the User model or something.
u.password = debexpo.lib.utils.hash_it(raw_password)
+ log.debug('Password hash: ' + u.password)


it does that even after the log lines are commented out. Could it be the system is running a different version of the code until one of the files is touched?
Date: 2013-03-20 09:44
Sender: Emmanuel Bourg

I encountered the same issue. I sent two password reset requests and got two mails. The link provided in the second mail generates a password that is always rejected. I followed the link in the first mail and eventually got a working password.
Date: 2014-02-18 08:42
Sender: Nicolas Dandrimont

Hi folks,

This was fixed in commit dfa05098be7671530e9f7502846feb5b8b85443f.

Cheers,
Nicolas

Existing Files:

Attach Files




Attached Files:

Change Log:

Field Old Value Date By
status_idOpen2014-02-18 08:42olasd
close_dateNone2014-02-18 08:42olasd
assigned_tonone2014-02-18 08:42olasd
statusOpen2014-02-18 08:42olasd
Powered By FusionForge