Hm, I always thought that the link is also added into the e-mails. If it isn't then it's a bug because it should behave as similar to what Joomla already has. Will create a ticket for this internally and if it is a bug, we'll address this in 2.0.11

The link to reset is included in the email but the verification token is not automatically added to the confirm form like it is with the default Joomla reset routine. With yours, you have copy and paste it manually in to the confirm form.

Jordan

This is fixed internally Jordan. It will be fixed on the next release

Hi Mark,

The latest release does seem to add the verification token to the URL but does not seem to add it to the form in my testing.

My test site has been added to the original post. If there is a fix, please post here so I can update my live site.

Hello Jordan,

Hm, are you running any sort of click capturing on the site? I tested your site and noticed that the url has been redirected from:

Original Link: https://click.pstmrk.it/2s/ukidney.com%2Fnetwork%2Faccount%2FconfirmReset%3Ftoken%3D675bb13c8ff696a305907ffdb73df2d6%26username%3Dmark%40stackideas.com/O1uyFg/mCEh/lc3yRYuepE

End Link: https://ukidney.com/network/account/completeReset

If I manually accessed the url that was generated by EasySocial, https://ukidney.com/network/account/confirmReset?token=675bb13c8ff696a305907ffdb73df2d6&username=mark@stackideas.com it then generates the token correctly.

Thanks Mark,

That is the link tracing on my transactional email system. Like Mandrill.

The issue is that while the URL contains the token, it's just not added to the token fiield on the confirm page. This is true even if I access the direct link you provided. So you still have to copy and paste it in to the field.

Jordan

When accessing that URL which I have provided the screen no longer asks me for a token, http://take.ms/pg2LT

Maybe we are talking about two different things. When clicking the reset password link from the EasySocial email, the token and username is in it:

network/account/confirmReset?token=bf2603491fa33be1b724d69658946b0b&username=testcdn

However, these values should be added to the form otherwise, it serves no purpose being in the URL.

In native Joomla, the token is added to the token field on the confirm screen. The EasySocial override breaks that.

Jordan

I understand Jordan but with the new update, you will not see the token in the form anymore.

Accessing with https://ukidney.com/network/account/confirmReset?token=675bb13c8ff696a305907ffdb73df2d6&username=mark@stackideas.com
With the token in the url: http://take.ms/NX2sc


Accessing with https://ukidney.com/network/account/confirmReset
Without token in the url: http://take.ms/tlXZD

I don't know what's going on.

When I click the link from an email, I get this error:

Sorry, this is not the e-mail associated with your account. Please try again.

Can't test beyond that.

Jordan

Hello Jordan,

I believe the link you clicked from the forum could be replaced incorrectly by our parser on the forums. Try copy / pasting this text,

https://ukidney.com/network/account/confirmReset?token=675bb13c8ff696a305907ffdb73df2d6&username=mark@stackideas.com

Replace the &; with &

Yes, that worked but then this does not:

https://ukidney.com/network/account/confirmReset?token=8428b7befb1c48186efdaeddb5a7eb08&username=testcdn

That is a link from my email. It seems the email is omitting the ;

When I add &; it works.

But to reiterate, the link from the email does not.

Actually have tried:

https://ukidney.com/network/account/confirmReset?token=8428b7befb1c48186efdaeddb5a7eb08&;username=testcdn

and

https://ukidney.com/network/account/confirmReset?token=8428b7befb1c48186efdaeddb5a7eb08&username=testcdn

Neither work

As another example, this works:

http://uk.drjjw.com/network/account/confirmReset?token=2021d5bbd45a3c224ddcff0a6eb360da&username=bichet@ukidney.com

This does not:

http://uk.drjjw.com/network/account/confirmReset?token=bd0b07f1324676d5c9f195f5aec2e44f&username=testcdn

It's so strange. Some users with certain emails work. So for example, this works:

http://uk.drjjw.com/network/account/confirmReset?token=2021d5bbd45a3c224ddcff0a6eb360da&username=bichet@ukidney.com

This does not:

http://uk.drjjw.com/network/account/confirmReset?token=bd0b07f1324676d5c9f195f5aec2e44f&username=testcdn

I even deleted the user testcdn and recreated it with the same email as before; it failed. I used the email from the working link above and it worked. So some emails work, others don't. It makes no sense (to me).

The tokens seem to be valid in both cases. Even with the ones that fail to enter the confirm screen, if I manually paste the token, it works. It's very weird.

I have now reproduced this on a bare-bones Joomla install. The issue only happened once. I enabled the option:

Use Email as Username: Yes

Then it failed with the email: bichet@ukidney.com as seen here:

http://drjjw.com/es/community/account/lostpassword

OK, I think there is definitely a bug here.

To reproduce:

Go to Settings > Users and enable BOTH:

Allow Logging In With E-mail: Yes
Use Email as Username: Yes

Then reset password with your email.

Click the link. It will fail.

Go back to settings, and change to:

Allow Logging In With E-mail: No
Use Email as Username: Yes

Re-do reset. It succeeds.

I think the first setting is redundant anyways and not sure why they are both there.

Hello Jordan,

I am really sorry for the delay of this reply as it is a weekend for us here. Hm, if you have enabled the option "Use e-mail as username", then the system should automatically use your e-mail address instead of the username.

Your user should not have a custom username as their username would be their e-mail address. Was this user created from Joomla or EasySocial?

Interesting.

Yes, those users may have been manually created by me. But we also have some users who have usernames (not email as username) since this site is 8 years old and we enabled that option more recently. So I suppose that for users with non-email usernames, this will break.

Jordan

Hello Jordan,

Yeah, that is because we performed additional checks to prevent people from spoofing the reset password behavior.

When both options are activated we are under the assumption now that everyone's username will be the e-mail address. Therefore we do not try to check against the username to ensure that user's doesn't try to spoof the system.

The issue here is there are ambiguity between your username and email. Some users has email as their username while some others doesn't. Here's what you can try (I haven't really tested if this is secure enough), edit the file /administrator/components/com_easysocial/models/users.php and at line 2576 locate the codes below:

		if ($config->get('registrations.emailasusername') && $config->get('general.site.loginemail')) {

			$sql->where('email', $username);

		} elseif ($config->get('general.site.loginemail')) {

			$sql->where('email', $username, '=', 'OR');

			$sql->where('username', $username, '=', 'OR');

		} else {

			$sql->where('username', $username);

		}

Replace it with,

if ($config->get('general.site.loginemail')) {

	$sql->where('email', $username, '=', 'OR');

	$sql->where('username', $username, '=', 'OR');

} else {

	$sql->where('username', $username);

}

Thanks Mark,

Will test.

There is another small issue. When users click an old link from email, let's say after they had reset their password, the link containing the now expired token says:

Sorry, this is not the e-mail associated with your account. Please try again.

The email is not the issue, it's that the token has now expired.

Jordan

Do you mean that the token should not expire or the message that is displayed is not displaying the proper message?

Testing with your code I got this error:

0 Call to a member function get() on null

at:

network/account/confirmReset?token=0cfe269428c392b2b2e5c148fc110386&username=user

Sorry, please try this,

[gist]
$config = ES::config();

if ($config->get('general.site.loginemail')) {
$sql->where('email', $username, '=', 'OR');
$sql->where('username', $username, '=', 'OR');
} else {
$sql->where('username', $username);
}
[/gist]

Yup, that fix works.

1. I'm not smart enough to determine if it's secure
2. Regarding the error message. Correct. If a user uses an expired link then the error message should say the token is expired and try again or something like that. As it is, the user is told the email supplied is incorrect.
3. This use case has broader implications than my situation where a site decided to use the email as username option. When using JFBConnect for example, that component creates a username for social network logins like fb_2343243242343. So in that case, even though the website might have username as email option set when registering through EasySocial, JFB will add a non-email username. So if user tries to reset their password from an account created through JFB, they will run in to the same issue if this issue is not patched.

Jordan

Thanks for updating me on this Jordan, will discuss this with our dev to see if this could be added internally.

Thanks Mark,

If you can please let me know, i would appreciate it. As it stands, the native method for resetting passwords will not work for users of JFB when using email for username.

Thanks as always,

Jordan

Thanks for the input on this Jordan, we have already logged a ticket for this internally but we'll need to run more tests and see if there is a way to support users who was created from Joomla (or via another extension like JFBConnect)

Thanks Mark,

I will try to watch the changelogs


J

Thanks for understanding Jordan and apologies for the delay of my reply, have been kicking a lot of stuffs in EasyBlog 5.1 =))) Extremely excited about it.