2.1 Can't reset customer password

[sheldonli999]

Steps to reproduce

1. Install Magento 2.1
2. Choose a customer
3. edit the customer
4. click reset password

   Expected result

5. send out the password reset email
6. ...

   Actual result

7. See the error message: Something went wrong while resetting customer password.
8. [Screenshot, logs]
9. ...

The reason I have to reset the customer password is the customer can't request to reset password either. Second, when saving address via webapi (Magento\Customer\Api\CustomerRepositoryInterface save), if I dont send password, the password is rehashed, the customer can't login with the current password.

[veloraven]

@sheldonli999 , thank you for report.

Unfortunately I was not able to reproduce the main issue you described. Could you please provide us with more information? Like versions of PHP, MySQL and web server. Also it can be helpful if you describe settings of your Magento instance: was it fresh install or upgrade from previous version? Do you have many store views? Maybe some other settings.

Additionally, as I see you mentioned two other problems in this ticket:

• that customer was not able to reset his password;
• problem with webapi Could you please describe them as separate issues with detailed descriptions and steps? So that it will be easier to track each problem. Additionally I'm not sure what exact steps I should do to reproduce the last mentioned issue.

I was able to change customer's password in three ways:

1. From customer's dashboard
2. Via 'Forgot Your Password?' link
3. From admin area using 'Reset Password' button as described in steps So if you provide additional data I can continue investigation.

[dthampy]

@sheldonli999 , the only way I was able to reproduce the error was , when I didn't have a SMTP server installed.

[sheldonli999]

I am able to reproduce the bug easily. Select a customer and edit it (inside admin backend). Click the reset password link, and received an email. Click the link inside the email. Typed in the new password. The error is displayed. Please see the attached screenshot. I can't find any exceptions in the log.

[sheldonli999]

[sheldonli999]

Now click the forget password link on the frontend page (customer page), filled the email address. An error occurred. Please see the attached.

[veloraven]

@sheldonli999 , thank you for screenshots. Unfortunately I still was not able to reproduce the issue. Could you please answer my questions from a comment above? Probably you missed it, but your answers can help us in issue reproducing.

[andimov]

According to contributor guide, tickets without response for two weeks should be closed.

[crantron]

@andimov @veloraven : having this issue in 2.1 as well.

[crantron]

This happens if you reset the customer password more than once.

• goto customer
• click reset password
  • correct notification should appear
• click reset password again
  • error, "Something went wrong while resetting password."

[crantron]

this should be re-opened

[thanhv83]

I same error with old customer creat before update to magento 2.1

Customer can't login, massenger: An unspecified error occurred. Please contact us for assistance. When customer reset password, messenger error: We're unable to send the password reset email. When i reset password from admin, massenger error: Something went wrong while resetting customer password. My server: VPS1: Apache 2.4; php 7.0.10 VPS2: Mysql 5.6 How to fix?

[crantron]

The problem is that there is still an unanswered forgot email. In the database a rp_token gets generated for that client and as long as that exists then you will receive this error. This is NOT a bug. But the error handling should be more descriptive.

To solve go into the database where the users are. update rp_token to null and it will work, or give the system to update itself( like 20 min). I'm assuming when the cron does it's thing.

Cheers.

[thanhv83]

I was check again, some customer still not login.

[Omar-Oleh]

Hi. I have the same problem. When I have reseted password for one customer I can not reset password to another customer from my PC. Please see to class: app/code/Magento/Security/Model/SecurityChecker/Frequency.php, method loadLastRecordCreationTimestamp. This method return the last date when was reseted password(of any customers). I think that it`s wrong because this method must return the last date of any reset ONLY for this customer.

[crantron]

@veloraven : @Omar-Oleh Omar is right, I just checked. This needs to be labeled a bug.

[andimov]

@Omar-Oleh, @crantron Please, provide steps to reproduce according to the Issue reporting guidelines.

[crantron]

• Create multiple stores
• create a customer for each store
• choose one of those customers to reset the password
  • do not fully reset the password.
  • make sure rp_token and rp_token_created_at != NULL
• now select another customer in a different store.
  • you wont be able to reset the password for ANY other customer while rp_token_created_at for the latter customer still exists.

Expected result If a reset password token is set for one customer, it shouldn't effect other customers and them resetting their password.

[apurv-anand]

+1 I got the same issue. Will investigate to get you more details, but this issue is real. Please do not close it without diving deep and resolving. M2.1.1

[crantron]

TO temporarily fix this issue, will have to run often, but run the mysql queries.

UPDATE customer_entity SET rp_token=NULL;
UPDATE customer_entity SET rp_token_created_at=NULL;

you'll then be able to send out notifications. @apurv-anand

[sevos1984]

Internal ticket created MAGETWO-59090. Thanks for reporting

[sdzhepa]

@sheldonli999 Fix for this issue was delivered to develop branch. Pls feel free to check it in develop and reopen if need

• Fix for Magento 2.1 will be delivered late in scope of internal ticket MAGETWO-59416

[pascaladriaansen]

I think this needs to be reopened. @sdzhepa I tried the fix from the develop branch, but unfortunately this does not fix this issue completely.

It only fixes the type of error message a user gets (by throwing a SecurityViolationException in stead of a normal Exception). It still doesn't fix the issue mentioned earlier by @Omar-Oleh and @crantron.

Steps to reproduce on Magento 2.1.2:

1. Apply fixed files from 7a67ac94dd9a925256f2c94b4ebc597f5e949206
2. Clear all rp_token and rp_token_created_at values in the customer_entity column: UPDATE customer_entity SET rp_token=NULL; UPDATE customer_entity SET rp_token_created_at=NULL;
3. Go to admin, click "Reset Password" for a customer. This should work.
4. (OPTIONAL) Reset the customer's password via the received email link. This will probably work as well.
5. Go to another customer, click "Reset Password". This will throw the following error:

Executing step 4 is optional, I get the same result in both cases.

[jvreeken]

I'm still having problems with this as well: Steps to reproduce on Magento 2.1.2:

1. Apply fixed files from 7a67ac9
2. Clear all rp_token and rp_token_created_at values in the customer_entity column: UPDATE customer_entity SET rp_token=NULL; UPDATE customer_entity SET rp_token_created_at=NULL;
3. Send password reset email by clicking link in admin or frontend
4. Reset the customer's password via the received email link.
5. Try the new password gives: "INVALID LOGIN OR PASSWORD."

I also was seeing the "Too many password reset requests. Please wait and try again or contact xxx" I turned off the settings for resetting passwords limits... but it is still a bug.

[eharvest]

I'm running 2.1.0, got a project just about to launch now I cannot create/reset password when I add new customer. Steps to reproduce: 1) Add a new website - Wholesale 2) Add a new customer and assign him to Webiste: Wholesale, Customer Group: Wholesale.

Notification email sends ok, but once I try to create the password, it give error: Something went wrong while saving the new password.

I have tried clear all rp_token and rp_token_created_at values in the customer_entity column: UPDATE customer_entity SET rp_token=NULL; UPDATE customer_entity SET rp_token_created_at=NULL;

It didn't work for me at all, still gives the same error. Any work around suggestion will be appreciated!

[jvreeken]

now all I'm getting is YOUR PASSWORD RESET LINK HAS EXPIRED.

[ooples]

I'm getting this issue as well in 2.1.2

[visualdensity]

I also had the same issue on 2.1.0 (yes, I am upgrading it) - "Something went wrong while resetting customer password." error. So I checked var/logs/system.log and noticed I have this:

`main.CRITICAL: Exception message: Too many password reset requests. Please wait and try again or contact customerservice@infiniterewards.com.au. Trace: #0 /var/www/magento/vendor/magento/module-security/Model/SecurityManager.php(110): Magento\Security\Model\SecurityChecker\Frequency->check(0, 'me@bla...', '10.10.2.132')

1 /var/www/magento/vendor/magento/module-security/Model/Plugin/AccountManagement.php(59): Magento\Security\Model\SecurityManager->performSecurityCheck(0, 'me@bla...')

2 /var/www/magento/vendor/magento/framework/Interception/Interceptor.php(123): Magento\Security\Model\Plugin\AccountManagement->beforeInitiatePasswordReset(Object(Magento\Customer\Model\AccountManagement\Interceptor), 'me@bla...', 'email_reminder', '2')`

I then surfed the DB tables for clues and found password_reset_request_event table and in it, the user request record was found. I deleted the record/row and did another password reset and it worked.

A bug perhaps? It should really say "Too many resets" and perhaps allow a way to reset the count?

HTH. Thanks!

[shahankitb997]

I'm facing still issue. Any solution?

[Asitis]

@shahankitb997 did you try all the said solutions here? Check for the password-reset limit and such?

[wilcoguapa]

This is an acknowledged bug, as mentioned here.

[pascaladriaansen]

@wilcoguapa It is, but this issue is closed (and fixed, according to @sdzhepa). Shouldn't it be reopened?

[wilcoguapa]

@pascaladriaansen Yes it should, because the fix that @sdzhepa mentioned is not yet released, and probably will not be released soon.

[j1nx3d]

I'm also having this issue. I have Magento 2.1.3 installed and updated by composer. on the customer_entity table the rp_token and rp_token created_at has some information as mentioned on other comments, I also think is a bug because the rp_token_created_at has a date from september 15th of 2016.

all the cron are set-up correctly. this field must be null by this time, or at least allow to request the password for the customer. also if I try to do this from the Magento Admin this should not have a restriction of this kind.

[spyrule]

Does anybody have a single query to delete both rp_token/token_created_at as well as if there is a matching row in password_reset_request_event if there is a row who's email address matches an above row with a value in rp_token? (I'm somewhat terrible at writing SQL queries)

[spyrule]

answered my own question:

DELETE from password_reset_request_event where account_reference in (select distinct email from customer_entity where rp_token is not null and rp_token_created_at is not null);
UPDATE customer_entity SET `rp_token`= NULL, `rp_token_created_at`= NULL WHERE rp_token IS NOT NULL AND rp_token_created_at IS NOT NULL;

I'm adding this to a cron job to run once per hour, and I tell customers that password requests only last until the top of each hour.

[crantron]

@spyrule your picture gives me anxiety +1

[spyrule]

why? I'm only updating references that actually exist. Otherwise those two rows are harmless (they don't delete without a result actually existing). I do agree, it would be preferential that the problem actually gets fixed (I really wish they would push updates as single updates for each item, instead of having to wait for major releases). So this is my work-around until this problem is properly resolved (Unfortunately, I don't have time at the moment to write a full proper extension to fix the underlying code problem).

[crantron]

YOUR GUTHUB AVATAR, not your solution. lol.

[spyrule]

LOL.... oh. :) (I'll admit, its not actually me, but I found it funny as hell, makes me laugh all the time)

[maultby]

I had these errors even after running the above fixes. After spending several hours trying to resolve I found that the sent password reset email worked fine in Firefox! It was only IE that was giving the errors such as Your password reset link has expired.

[crantron]

@maultby I can guarantee you this is not a browser issue. Emails don't get sent with frontend tech...

[spyrule]

Can anybody confirm if this still happens in 2.1.4/5 ?

[dnadle]

I have just encountered this bug in 2.1.4.

[spyrule]

@sdzhepa - Can you PLEASE re-open this ticket, it needs further investigation, as this problem still persists (clearly, since people are still having this problem in 2.1.3(me), and 2.1.4(dnadle).

[spyrule]

@eCommerceGorilla There is no difference between 2.1.4 and 2.1.5 other than copyright info in the core config files. Just an FYI.

[eCommerceGorilla]

Actually, I have to retract my assertion of it not working. I have been trouble shooting this for a few hours and located the issue not in the core but MageMonkey for Magento 2. Clean install it is working without an issue.

If anyone else is running into this ensure that MageMonkey isn't the issue.

[spyrule]

@eCommerceGorilla Were you able to determine what was it in that extension that was causing this problem?

[eCommerceGorilla]

@spyrule No I actually didn't bother devoting any additional time to the 3rd party extension, it was faster for me to just inject MailChimp api v3 calls into the magento side of subscription events and create a controller to handle the MailChimp webhook for unsubscribes.

[spyrule]

@eCommerceGorilla Hmmm... source code? :smiley:

[kcsf]

INFURIATING this is. NO customers can login in anymore. They all get the same error: "An unspecified error occurred. Please contact us for assistance."

And we can't find any error detail in any of the server logs - nor in js console. Which makes all of this ever more infuriating.

Not sure when it started, sometime after upgrading from 2.1.0 to 2.1.6. We staged the site today and upgraded to 2.1.7 > NO JOY.

Meanwhile - the phone is ringing off the hook & we are loosing orders like crazy.

Please help