Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Email user when get Error when attempting to reset password #2926

Open
davama opened this issue Feb 28, 2022 · 5 comments
Open

Email user when get Error when attempting to reset password #2926

davama opened this issue Feb 28, 2022 · 5 comments
Labels
area/email Email related features/bugs type/feature Request for adding a new feature

Comments

@davama
Copy link

davama commented Feb 28, 2022

Feature Request

So current behavior when attempt to reset the new password you get the below popup which is expected.

Imgur

I understand that we don't want to give information to the "potential" attacker and that's fine.

But the popup msg of course does not help the user as to what they can do differently.
So an idea was to send them an email stating what the log msg says.

Description

Email the user with the error msg when they get a popup error msg when attempting to reset the password.

Use Case

At least with this one case we had was that the user was using an old ldap password but the msg was not helpful.

  "level": "error",
  "method": "POST",
  "msg": "unable to update password. Cause: LDAP Result Code 19 \"Constraint Violation\": Password is not being changed from existing value",
  "path": "/api/reset-password",

An email to the user stating they are trying to use an old password would probably save them some headaches, as well as the admin :)

Hope I did this FR right.

Thank you for the awesome support!

-Dave
@davama davama added the type/feature Request for adding a new feature label Feb 28, 2022
@james-d-elliott james-d-elliott added the area/email Email related features/bugs label Aug 7, 2022
@james-d-elliott
Copy link
Member

Related: #4382

@nightah
Copy link
Member

nightah commented Dec 6, 2022

I don't think that's entirely related, we could handle a different message in this scenario like we do when we identify that the new requested password doesn't fit the policy enforced by LDAP.

The key reason we hadn't in the past was that we didn't have a list of all the errors/constraint violations and it's still unclear whether or not those will differ between each LDAP implementation.

@james-d-elliott
Copy link
Member

I was thinking an admin toggle (default off) that would "enhance" the password reset email with the raw error message. Also I agree it's not something we should complete in the same feature, just thinking we can probably make a fairly generic email template that we can quickly add/remove elements on and that would partially help with implementing this feature.

@dheadgs
Copy link

dheadgs commented Nov 8, 2023
edited

Hi , is there an update for this? I am having the same issue on release authelia/authelia:4.37.5 onwards , email sent successfully, logs:
-Ip changed to localhost for privacy reasons
-Active directory Version: 10.0.17763.4644 is being used for auth

level=debug msg="Notifier SMTP client attempting connection to 127.0.0.1:25"
level=debug msg="Notifier SMTP client connected successfully"
level=debug msg="Notifier SMTP server supports STARTTLS (disableVerifyCert: true, ServerName: 127.0.0.1), attempting"
level=debug msg="Notifier SMTP STARTTLS completed without error"
level=debug msg="Notifier SMTP config has no password specified so authentication is being skipped"
level=debug msg="Notifier SMTP client attempting to send email body to "TEST TEST" TEST@TEST.gr"
level=debug msg="Notifier SMTP client successfully sent email"
level=error msg="no identity verification process has been initiated" method=POST path=/api/reset-password remote_ip=127.0.0.1 stack="github.com/authelia/authelia/v4/internal/middlewares/authelia_context.go:65 (*AutheliaCtx).Error\ngithub.com/authelia/authelia/v4/internal/handlers/handler_reset_password_step2.go:20 ResetPasswordPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25 SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35 SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16 SecurityHeaders.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414 (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154 (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1594 goexit"

End user get the "There was an issue resetting the password" message

@james-d-elliott
Copy link
Member

james-d-elliott commented Nov 10, 2023
edited

The updates will be present in the relevant issue as is standard practice. However in your situation it will likely be unhelpful to the end user which is likely also something that someone else will have issue with.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/email Email related features/bugs type/feature Request for adding a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nightah @james-d-elliott @davama @dheadgs