Testing Forgot Password

[heymarkreeves]

Hi, Sherri!

A few items I'm seeing on the Forgot Password functionality (#51):

• I started testing in Mobile Safari, where I have a few tabs open I'm not ready to lose, and there were a few hiccups that I attribute to cached code.
• I switched to testing in Chrome on iOS, which is the same Webkit engine. (Any iOS browsers are required to run a Safari Webview)
• With a clear cache there, things worked much more smoothly.
• I entered my email address and received the email promptly.
• I copied the Mandrill-tracked link from that email and pasted it into Chrome, which returned the reset password page.
• Here things got weird. I entered a new password and submitted the form. The spinner spun and disappeared but I wasn't redirected. I submitted it again, same thing. I'm not sure if I didn't have matching passwords and didn't receive an error or if the submit failed.
• I then opened the nav and headed to the Sign In page, as I was not signed in.
• My new password did not work.
• Each time I got the "authorization failed" response, I cleared the contents of the Password field. After clearing the field, the app returns a "Password required" message. Those messages kept stacking up every time I failed to authenticate and cleared the field. I had triplicate error messages showing when I gave up.

After all that...

It looks like I exposed a possible kink in the process.

I first did a "Forgot Password?" in Safari and the link hadn't arrived, so I headed to Chrome. Right after I submitted the form in Chrome, I got the email with the link and used that link in Chrome.

But that wasn't the more recent link. That was the one from the Safari session. I don't know if that was invalidated on the server or what, but the reason I experienced the steps outlined above was because of that link. I ended up getting a second email, and when I used that link in Chrome, all went smoothly.

So we need to look at:

1) The stacking up of errors when authorization fails in the sign-in form. 2) Whether a password reset link is invalidated by us if two requests come in or by the backend app (and if that's something we should mitigate). 3) Why I didn't receive an error when I used the invalid link. It just spun and left me on the page.

Let me know if you have trouble reproducing or addressing these.

Thanks!

Mark

[SherriAlexander]

Hey there! I will definitely look into these -- it sounds like there's a silent error happening on the Ajax side of things, I can try and duplicate these conditions and check messages in the console log to verify. Stacking errors are definitely problematic, and I'll make sure to address that while I'm in there. Thanks for catching these!

[SherriAlexander]

Hey there! I think I've fixed up the stacking error problem, thank you for catching that!

I've verified that if you send a Forgot Password request, and then you send another Forgot Password request, and then you try to use the first Forgot Password request, it results in an error from the backend API:

http://artbot-api.herokuapp.com/registrations 
Failed to load resource: the server responded with a status of 404 (Not Found)
Error: Not Found
jqXHR status: 404 Not Found

I've entered a ticket over on the Hyperstudio side to follow up with Liam. I'll keep this one updated as we go. Thanks!

[SherriAlexander]

So the error handed back by the API is "Reset_password_token is invalid", which we're now displaying below the form if you try to submit a Reset Password request from an expired email. It's not too user friendly, but at least it's not silently failing now. Think that's good to go? Let me know what you think when you can. Thanks!

[mailbackwards]

That's fine for now, I think. I'll look into a more user-friendly message when I have time. Thanks!

[SherriAlexander]

Thanks, Liam! I think it might be worthwhile also for me to look into centralizing and overhauling the entire system of how errors are generated and displayed on the site, if time allows during the next phase of development. I've been kicking some ideas around as I've been going. :)