search

benedmunds / CodeIgniter-Ion-Auth

Simple and Lightweight Auth System for CodeIgniter
http://benedmunds.com/ion_auth/
MIT License
2.34k stars 1.14k forks source link

Forgot password email has link corrupted #1586

Open federicovilla opened 3 months ago

federicovilla commented 3 months ago

Hi, in my project I'm using Ion Auth 3. Forgotten password email is sent correctly by the script...but the email has an anchor not working ... I get the following error if I try to click on link to set a new password (using a custom email template ): The URI you submitted has disallowed characters.

uri_error

If I use the email template included in the downloaded package, I get an email with no link at all ...here you are the sourcee of the received email. Thanks a lot for any hint or help and sorry for my bad english. ` Return-Path: admin@gavs.it Delivered-To: federico.villa@gavs.it Received: from srv.hdedi-xlogic3000.org by srv.hdedi-xlogic3000.org with LMTP id iMKXHdRAimYTRAAA29GO/Q (envelope-from admin@gavs.it) for federico.villa@gavs.it; Sun, 07 Jul 2024 09:16:36 +0200 Return-path: admin@gavs.it Envelope-to: federico.villa@gavs.it Delivery-date: Sun, 07 Jul 2024 09:16:36 +0200 Received: from [159.69.73.219] (port=47522 helo=gavs.it) by srv.hdedi-xlogic3000.org with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from admin@gavs.it) id 1sQM8S-00000000AVI-1sbf for federico.villa@gavs.it; Sun, 07 Jul 2024 09:16:36 +0200 Date: Sun, 7 Jul 2024 09:16:36 +0200 From: "GAVS.it" admin@gavs.it To: federico.villa@gavs.it Subject: =?UTF-8?Q?GAVS.it=20-=20Verifica=20il=20cambio=20password=20dimenticata?= Reply-To: admin@gavs.it User-Agent: CodeIgniter X-Sender: admin@gavs.it X-Mailer: CodeIgniter X-Priority: 3 (Normal) Message-ID: 668a40d465a1b@gavs.it Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="B_ALT_668a40d465a2b"

--B_ALT_668a40d465a2b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit

Reimposta Password per Si prega di cliccare su questo collegamento per Reimposta la tua Password.

--B_ALT_668a40d465a2b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Reimposta Password per

Si prega di cliccare su = questo collegamento per Reimposta la tua Password<=3D /a>.

--B_ALT_668a40d465a2b-- `

avenirer commented 3 months ago

In the URL I see you have a space before the string... f=%20... Maybe it's from that?

federicovilla commented 3 months ago

Hi Adrian, nice to meet you again! Thanks a lot for your feedback and for taking time to check this issue. The weird thing is that the url is built using the Ben code, with the forgot code got from the db... the code is the following: `if ($data = $this->ion_auth->forgotten_password($identity->{$this->config->item('identity', 'ion_auth')})) { // Custom email $this->load->library('email'); $this->email->clear();

// Set email config
$config['protocol']  = 'smtp';
$config['smtp_host'] = 'ssl://xxxxxxxxxxxx.it';
$config['smtp_port'] = '465';
$config['smtp_user'] = 'xxxxxxx@xxxx.xx';
$config['smtp_pass'] = 'xxxxxxxxx';
$config['mailtype']  = 'html';
$config['charset']   = 'utf-8';
$config['wordwrap']  = TRUE;
$config['newline']   = "\r\n";

$this->email->initialize($config);

$message = $this->load->view('_email/forgot_password.tpl.php', $data, TRUE);

$this->email->from($this->config->item('admin_email', 'ion_auth'), $this->config->item('site_title', 'ion_auth'));
$this->email->to($this->input->post('identity'));
$this->email->subject($this->config->item('site_title', 'ion_auth') . ' - ' . $this->lang->line('email_forgotten_password_subject'));
$this->email->message($message);

if ($this->email->send())   {
    $this->session->set_flashdata('success', $this->ion_auth->messages());
    redirect("nuovo/auth/forgot", 'refresh');
}

} else { $this->session->set_flashdata('warning', $this->ion_auth->errors()); redirect("nuovo/auth/forgot", 'refresh'); }`

Maybe CI 3 has corrupted the url paramenter?

avenirer commented 3 months ago

Hello. Haven't opened a CodeIgniter project for a long time. In order to test, maybe you should take a look at the configuration for urls:

public string $permittedURIChars = 'a-z 0-9~%.:_\-';

Just in order to test, you could set an empty string there, and see if it works. Afterwards, you should see what characters you should allow for this (maybe $)

federicovilla commented 2 months ago

Hi Adrian, thanks a lot for your time and for your hint. I did the suggested test ... but it didn't fix the issue. The url in email is quite weird...since it looks like the following one: <a href=3D"http=3D s://gavs.= it/admini/auth/reset_password/5210d32522693403aff4.49b2b2108fe29=3D dc8a882= 8ac18e49e529e36e7d69e7941ae12a37a61c2a1a5888c8b293649c06e5a4">Re=3D imposta = la tua Password</a>