Send password reset action in admin UI reports success despite Exception

[lancegliser]

Send password reset action in Admin UI reports success despite Exception

Description

I'm attempting to send a password reset email for a user. It claims to have sent, but the user never gets it. Checking the event logs I found:

Async Email Send exception occurred.

Template Id: 0d6bc034-c3ba-4642-820d-70725ac72d0f Template Name: [FusionAuth Default] Forgot Password Tenant Id: 3b9f9a21-952d-4c9d-b15d-c85d37969e4c Addressed to: Jane Doe jane.doe@torch.ai

Cause: jakarta.mail.AuthenticationFailedException : Message: 535 5.7.139 Authentication unsuccessful, the user credentials were incorrect. [BL1PR13CA0296.namprd13.prod.outlook.com]

Affects versions

Hosted instance 1.41.3

Steps to reproduce

Steps to reproduce the behavior:

After mangling your SMTP credentials:

1. Go to 'Users
2. Click on Manage for a user
3. Click on dropdown
4. Click on Send reset email
5. Give it a minute
6. Click on system > event logs
7. See error

Expected behavior

If someone goes wrong sending, I am notified without having to dig into the system logs. In a mail queueing system, it might be sent in batches out of immediate band. I at least need to be provided with some sort of popup toast / snackbar telling me the problem existed.

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/2008

[mooreds]

@lancegliser this is working as designed. We don't want to ever reveal success or failure of a password reset request, as that opens up FusionAuth to enumeration attacks.

The main method for FusionAuth to convey configuration errors is the event log, which you've found. You can subscribe to event log webhooks to receive additional notification: https://fusionauth.io/docs/v1/tech/events-webhooks/events/event-log-create

Does that suffice? Or am I missing something?

[lancegliser]

Perhaps I missed communicating something.

We don't want to ever reveal success or failure of a password reset request, as that opens up FusionAuth to enumeration attacks.

I can agree and see that if this was the user themselves requesting a reset. This bug specifically about the admin attempting to "Send password reset" for any given user. Screenshot for clarity:

Url: /admin/user/manage/{guid}?tenantId={guid}

If a user can access the admin, they may well be able to access the SMTP settings and change them anyway? This feels similar to #2008. An admin takes an action, it does or does not succeed, but the status is communicated incorrectly.

[mooreds]

Thank you for the clarification. That makes your suggestion clear. Appreciate it!

[robotdan]

The assumption when using email based actions in the UI is that email is configured and working. Similar to a database, elasticsearch, etc - all of those things have to be working otherwise lots of things can and will fail.

While working as designed, @lancegliser is correct - this is the same issue as documented in https://github.com/FusionAuth/fusionauth-issues/issues/2008.

The issue is that the Email Send API is always async - so if there is a connection failure with the SMTP server, the API will not know about it. An event log will be created indicating the email could not be sent.

The Test button in the tenant config does not use the Send API, instead it calls some services directly so we can capture these errors synchronously.

If we want to allow admin actions in the UI to collect errors when your SMTP service is not yet configured, we have to send these requests synchronously. The Send API does not currently support this -so we'll need to add an option to the Email Send API to send emails synchronously and then use that mode when sending emails from the admin UI.