magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.54k stars 9.32k forks source link

Password reset link not working after updating to Magento 2.4.4 #35487

Closed BenItt closed 2 years ago

BenItt commented 2 years ago

Preconditions (*)

  1. Magento 2.4.4. Community Edition / self hosted
  2. Running with PHP 7.4
  3. Multi Store environment de (German) en (English)

Steps to reproduce (*)

  1. Go to Stores --> Configurations --> Settings --> Customers --> Customer Configuration
  2. Set "Recovery Link Expiration Period (hours) = 2" or leave as it is per configuration settings on "Default Config" level
  3. Register customer via YourMagentoInstance.com/en/customer/account/create/
  4. Log out
  5. Go to Forgot password via YourMagentoInstance.com/en/customer/account/forgotpassword/
  6. Enter your E-Mail --> Demand Password Reset
  7. Access E-Mail in your e-mail program
  8. Click on "Set a new password" in mail

Expected result (*)

  1. Link will forward you to YourMagentoInstance.com/en/customer/account/forgotpassword/
  2. You can set new password accordingly

Actual result (*)

  1. Link will forward you to YourMagentoInstance.com/en/customer/account/forgotpassword/
  2. Error message will show "Your password reset link has expired."

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

m2-assistant[bot] commented 2 years ago

Hi @BenItt. Thank you for your report. To speed up processing of this issue, make sure that you provided the following information:

Make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, review the Magento Contributor Assistant documentation.

Add a comment to assign the issue: @magento I am working on this

To learn more about issue processing workflow, refer to the Code Contributions.


:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

manavluhar commented 2 years ago

@magento give me 2.4-develop instance

magento-deployment-service[bot] commented 2 years ago

Hi @manavluhar. Thank you for your request. I'm working on Magento instance for you.

magento-deployment-service[bot] commented 2 years ago

Hi @manavluhar, here is your Magento Instance: https://3bc3de3faa14ff4ca128a18b48a982af.instances.magento-community.engineering Admin access: https://3bc3de3faa14ff4ca128a18b48a982af.instances.magento-community.engineering/admin_dab5 Login: 1d732805 Password: 9084768d41f7

BenItt commented 2 years ago

Dear @manavluhar,

thank you for the same.

Using same template code as from your Magento instance leads to same error on our instance :/

Very strange. Magento 2.4.4 update from 2.3.5 was fresh update.

Possibly extensions cause this problem?!

Do you have same CreatePassword.php as the one here?

`<?php /**

namespace Magento\Customer\Controller\Account;

use Magento\Customer\Api\AccountManagementInterface; use Magento\Customer\Model\ForgotPasswordToken\ConfirmCustomerByToken; use Magento\Customer\Model\ForgotPasswordToken\GetCustomerByToken; use Magento\Customer\Model\Session; use Magento\Framework\App\Action\Context; use Magento\Framework\App\Action\HttpGetActionInterface; use Magento\Framework\App\ObjectManager; use Magento\Framework\Controller\Result\Redirect; use Magento\Framework\View\Result\Page; use Magento\Framework\View\Result\PageFactory; use Magento\Customer\Api\CustomerRepositoryInterface;

/**

Wondering were the bug comes from. Any possibility to reach out to you directly?

Yours

BenItt commented 2 years ago

Could you check to send Password reset link to any given Gmail address? It seems that link is removed then and arrives as LINK

Also our finding:

When loading templates for forgot e-mail after update to Magento 2.4.4 varibale differs from vendor e-mail variable:

Your instance as well as ours:

<a href="{{var this.getUrl($store,'customer/account/createPassword/',[_query:[id:$customer.id,token:$customer.rp_token],_nosid:1])}}" target="_blank">{{trans "Set a New Password"}}</a>

When I get the variable from /vendor/magento/module-customer/view/frontend/email --> PasswordReset.html it differs:

<a href="{{var this.getUrl($store,'customer/account/createPassword',[_query:[id:$customer.id,token:$customer.rp_token],_nosid:1])}}" target="_blank">{{trans "Set a New Password"}}</a>

So old instance adds a "/" behind password which then hinders to function properly.

hostep commented 2 years ago

Does the following screenshot help? It's a report I send to Hyvä frontend themes in order to have them fix something very similar. Maybe also double check if your custom theme didn't overwrite the resetforgottenpassword.phtml because in that case you might be missing something there that was added in 2.4.4

Screen Shot 2022-05-17 at 15 06 42
BenItt commented 2 years ago

Dear @hostep,

this looks like it could be a solution. Indeed the green marked parts are missing in our vendor/magento/module-customer/view/frontend/templates/form/resetforgottenpassword.phtml

We check to change and inform about progress.

THE FILE WHERE IT WAS MISSING WAS OUR MAGENTO 2.3.5-p1

hostep commented 2 years ago

Alrighty, it's most likely going to be this that fixes your issue.

Next time when you work on a Magento upgrade, consider using this tool: https://github.com/AmpersandHQ/ampersand-magento2-upgrade-patch-helper, it helped us discover this problem (and many others in the past) 🙂

BenItt commented 2 years ago

Dear @hostep,

roll back. I have checked and our Core looks exactly like the screenshot you had posted.

Possibly still our Theme overwrites this function. Checking this now going back to Luma. Thank you for the Ampersand Patch Helper. Will consider this.

m2-assistant[bot] commented 2 years ago

Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

BenItt commented 2 years ago

Dear @hostep,

in Luma Theme same issue. Very weird.

Yours

hostep commented 2 years ago

Ah okay, then it must be a different problem than the one I ran into apparently.

BenItt commented 2 years ago

Dear @hostep,

good news. We found the culprit. Error was caused by an extension by "IT Recht Kanzlei" from Cyberday which we are using for our legal texts. Deactivating this extension and the error is gone. Finally found this out after looking into so many options in the code.

engcom-Delta commented 2 years ago

Hi @BenItt , Thank you for raising an issue and we tried to reproduce the issue on Magento 2.4.4 instance. Link has been expired after 2 hours as we set the configuration Stores --> Configurations --> Settings --> Customers --> Customer Configuration, This is expected functionality and within the 2 hours if we access the link and try to reset the password, we are able to reset the password successfully. Hence , request to help me out to reproduce the issue with clear steps.

Steps followed:

  1. Goto Stores --> Configurations --> Settings --> Customers --> Customer Configuration
  2. Set "Recovery Link Expiration Period (hours) = 2" or leave as it is per configuration settings on "Default Config" level
Screenshot 2022-05-20 at 12 02 56 PM
  1. Register customer via YourMagentoInstance.com/en/customer/account/create/
  2. Log out
  3. Go to Forgot password via YourMagentoInstance.com/en/customer/account/forgotpassword/
  4. Enter your E-Mail --> Demand Password Reset
  5. Access E-Mail in your e-mail program
Screenshot 2022-05-20 at 5 44 40 PM
  1. Click on "Set a new password" in mail
Screenshot 2022-05-20 at 12 09 12 PM Screenshot 2022-05-20 at 12 09 37 PM

Actual results After 2 hours

Screenshot 2022-05-20 at 1 27 44 PM
engcom-Delta commented 2 years ago

We have noticed that this issue has not been updated for a period of more than 14 Days. Hence we assume that this issue is fixed now, so we are closing it. Please raise a fresh ticket or reopen this ticket if you need more assistance on this.

robsoned commented 2 years ago

Hello guys, In case someone is having some problem as well. We started having this problem after upgrading from magento 2.3* to Magento 2.4.3-p2. Our problem here was fixed by:

  1. Updating resetforgottenpassword.phtml in our custom theme, to include the customerId in the form action. Like @hostep had commented above: https://github.com/magento/magento2/issues/35487#issuecomment-1129189569
  2. Updating the reset password email template at Marketing -> Email Templates, to also include the customerId in the form action. You can create a new form from the Forgot Password template to see the difference between the 'new' one in magento2.4 and the one you've been using. The old version: [_query:[token:$customer.rp_token],_nosid:1] The one updated: [_query:[id:$customer.id,token:$customer.rp_token],_nosid:1] You can see that a new parameter is added to the button url, id in this case.

Summarizing:

royalkaroma commented 1 year ago

Thank you for reporting and collaboration. Verified the issue on Magento 2.4-develop and 2.4.5 instances and the issue is reproducible on both the instances.

We are not getting any exception.But the session has expired, and again we need to Login.

Steps to reproduce :

1.Have 2 browsers open. One with the magento shop, second one with your gmail account.

2.Register a new customer.

3.In the first browser, click on the "forgotten password" link and enter your email address. You'll be redirected to a customer login page. Don't close the tab.

4.In the second browser, click on the "reset password" link in your gmail account. A new browser tab will open. Set a new password.

5.Go back to the first browser, enter your new login information and click on the "login" button.

and i got Capture Capture

fabrice-dresscodes commented 1 year ago

Got the same than @royalkaroma on 2.4.4

karanguilherme commented 1 year ago

Reset Password link not working where outlook mail