400 on forgot password for users using github verification

[whatSocks]

Does forgot password work?

try:

• create account via invite (update: pick I picked github verification, this might be important)
• change email
• log out
• try forgot password (see 400 error in console and error message telling me my email is wrong)

on the beta version, I'm pretty sure I'm putting in the correct email (the one I was invited with and the one I changed it to).

  const submitEmail = (e: any) => {

            e.preventDefault()

            if (email) {

              WebService.forgotPassword({

                email: email,

              }).subscribe(async (data) => {

                if (data.ok) {

                  setEmailSent(true);

                  setColor(BgColor.Yellow);

                } else {

                  alert.error("There is no user associated with that email address.");

                }

              });

            }

          };

[alexrandaccio]

thank you for opening this, I'll take a look!

[whatSocks]

@alexrandaccio I know this isn't support but I've created like 3 test accounts (using video as verification) now and can't reproduce the situation. I'm able

• to create an account
• navigate to forgot password
• get the forgot password email
• reset password
• log in
• send credits (this button should probably be disabled for non-verified users)

I originally created my account on my phone, then I went to log in on my computer, then did forgot password, got stuck, went back to phone and am now logged out on the phone's browser.

If there's a chance I did set my password to an email I don't have access to (example, I made a typo), it would be nice to send a verification email and tell the user about this verification email upon signup as a sanity-check?

[whatSocks]

I did the steps again (this time saving my email and pw to lastpass and using github as verification) and am locked out again.

[alexrandaccio]

You're absolutely right, we should at least add a confirmation email on signup.

Could you list exactly what steps you took to get to this point, so that I can get a picture of what may have happened on the backend? It might be helpful to include the email addresses you used so that I can look them up in the database and check if any duplicate accounts were created, etc. If you're comfortable with that, shoot me an email at voice@radicalxchange.org to keep that information private.

[whatSocks]

best steps:

• have a github account
• be logged out of platform
• click on an invite link from one of your existing emails to go to signup screen
• create a brand new email address to use with new platform (example oldname+rxc@domain.com)
• fill out signup form with new email, tap github as verification
• go through github verification flow
• success! you're in the app
• go to another device / browser
• try to log in but maybe wrong password? or wrong email? something's wrong
• do forgot password on this new device
• get 400 error

[alexrandaccio]

Thanks so much for providing that info! I still haven't been able to reproduce the error though. Everything is working as expected for me. Are you still experiencing that error? Given what I know so far, the only explanations I can think of are:

• for some reason, when you filled out your account information with the new email address and hit submit, your information did not save (in which case this is a network problem or rare backend bug, solution TBD)
• you did not enter your email address correctly because we didn't send you a confirmation email (I will definitely fix this asap)

[whatSocks]

@alexrandaccio I can't test much more since I have to be able to log in to send myself invites to create new accounts.

check it out:

this user definitely existed (and for all I know still exists, the error message is hard coded after all, it could be a different issue)

[image redacted]

I was even able to do forgot password

[image redacted]

Now I can't (2 hours later)

[image redacted]

could I possibly have a new invite and some new credits 🙏

[alexrandaccio]

Yes, I can definitely set you up with a new invite and 99 credits.

I'm pretty baffled by this--I even just tried inputting the email address in the screenshot you posted into "forgot my password" and it appeared to work (did you get the email?)

[whatSocks]

I think I got it. Confounding this, I think there's some other things going on:

• some issue with authentication in general: If you create an account, log out, then create another account, you see the info from the previous account and have to refresh for it to go away. (not sure if this happens all the time or just sometimes)
• I feel like i was able to create multiple accounts with the same email
• I was able to verify different accounts using the same github account
• the error message is hard-coded, maybe showing the response from the server might help debug?

[alexrandaccio]

• some issue with authentication in general: If you create an account, log out, then create another account, you see the info from the previous account and have to refresh for it to go away. (not sure if this happens all the time or just sometimes)

Adding an "edit account" feature on the account page will fix this.

• I feel like i was able to create multiple accounts with the same email

We can rest assured that it's definitely not possible for two accounts with the same email to coexist. But I think I know what gave you that impression (it was a different bug that I discovered this morning)--will explain below.

• I was able to verify different accounts using the same github account

This is a known bug/feature. I never built in a check for this, and my thinking was that the point of having these methods of verification is so that users can hold other users accountable by checking their third-party accounts. So if you create two accounts with the same github account, any user or admin can see that on the Delegation page and report you for creating Sybils, and your account will be removed. If the site prevents you from doing that, I think it might push you to find more creative ways to create Sybils that will be harder to catch. The whole anti-cheating design of RxC Voice is an ongoing conversation, though, so dissenting opinions are definitely welcome. Let me know what you think.

• the error message is hard-coded, maybe showing the response from the server might help debug?

The error-handling is pretty rudimentary site-wide--you're definitely right about this.

I discovered a bug this morning

This was definitely the cause of at least some of your login headaches yesterday @whatSocks. Two other users reported that they created their accounts, logged out, then were not able to log back in. This problem only occurred if you used the Already have an account? Sign in link in your invitation email, which is why I couldn't replicate it yesterday.

It was because I did not originally intend for that link to be used for regular logins. The point of that link was to cover a specific case:

1. User 1 has an account at email address A
2. User 2 does not realize that User 1 already has an account, and "invites" User 1 by sending credits to email address B
3. User 1 opens the invitation email at email address B, clicks on Already have an account? Sign in
4. User 1 logs into account A, the backend verifies their credentials, moves the credits from account B to account A, then deletes account B

I didn't anticipate people using that link to login under normal circumstances (oops). So I didn't realize that when a user clicks the link from email address A and logs into account A, the backend verifies their credentials, moves the credits from account A to account A (does nothing), then deletes account A (game over for User 1). I patched it in 617666ece38fd112eac44541561005a8e5587dd3