Change password works, but spams 10000+ requests and locks the account

[sngoz]

PassCore Server

• OS: Windows
• Provider: Active Directory, but also the same when using LDAP
• Settings file (without sensitive information): at end
• Log file (without sensitive information):

Describe the bug
Change password works (takes a long time), but the account locks.

In developer tools, it is spamming 10000+ requests as soon as you click on the Change Password button.

The first request works, as the password changes.
But then it displays "you need to provide the correct password" multiple times.
Then it displays the account locked.

Note: If you want to report an issue of passcorepro, please use the proper bug report form at https://store.unosquare.com/passcorepro

To Reproduce
Steps to reproduce the behavior:

1. Enter details then click on Change Password
2. See error

Expected behavior
Should only make 1 request to change the password not thousands.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Windows 10
• Browser: Chrome
• Version Version 86.0.4240.198 (Official Build) (64-bit)

appsettings.json

{
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
},
"WebSettings": {
"EnableHttpsRedirect": true
},
"AppSettings": {
// The following options for AD Provider (remove if you don't use this Provider)
"UseAutomaticContext": true, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
"RestrictedADGroups": ["Enterprise Admins"], // Set the AD groups to restrict the use of PassCore
"AllowedADGroups": ["Domain Users"], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
"IdTypeForUser": "UPN", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)

// The following options are for LDAP Provider (remove if you don't use this Provider)
//"LdapSearchBase": "OU=Company,DC=xxxxxxxxx,DC=local",
//"LdapSecureSocketLayer": false, // Default for AD is true when using LDAPS 636
//"LdapStartTls": true, // Default for AD is true when using LDAP 389
//"LdapChangePasswordWithDelAdd": true,
//"LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"

// General options (valid for both providers)
"LdapHostnames": [ "xxxxxxx.xxxxxxx.local" ], // Set your hostname(s)
"LdapPort": 389, // Default for AD is 389, for LDAPS 636
"LdapUsername": "", // Set the username or distinguish name (DN) to bind the LDAP server
"LdapPassword": "", // Set the password for the username
"DefaultDomain": "xxxxxx.local" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.

},
"ClientSettings": {
"ValidationRegex": {
"EmailRegex": "^[a-zA-Z0-9.!#$%&’+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)$",
"UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
},
"UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
"MinimumDistance": 0, //The minimum distance beetween the old and the new password, this is used to enforce the edit distance using the levenshtein distance algorithm.
"PasswordEntropy": 16, // the number of bytes of entropy to use for generated passwords
"ShowPasswordMeter": true,
"MinimumScore": 0, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
"Recaptcha": {
"SiteKey": "", // ReCAPTCHA public key: replace this! or leave empty if you don't need ReCAPTCHA
"PrivateKey": "", // ReCAPTCHA private key: replace this! or leave empty if you don't need ReCAPTCHA
"LanguageCode": "en"
},
"UseEmail": "true",
"ApplicationTitle": "Change Account Password | Self-Service Account Management Tools",
"ChangePasswordTitle": "Change Account Password",
"ChangePasswordForm": {
"HelpText": "If you are having trouble with this tool, please contact IT Support",
"UsernameLabel": "Username",
"UsernameHelpblock": "Your organization's email address",
"UsernameDefaultDomainHelperBlock": "Your organization's username",
"CurrentPasswordLabel": "Current Password",
"CurrentPasswordHelpblock": "Enter your current password",
"NewPasswordLabel": "New Password",
"NewPasswordHelpblock": "Enter a strong password. You can use this tool to help you create one; use the XKCD (random sep, pad digit), or NTLM, options.",
"NewPasswordVerifyLabel": "Re-enter New Password",
"NewPasswordVerifyHelpblock": "Enter your new password again",
"ChangePasswordButtonLabel": "Change Password"
},
"ErrorsPasswordForm": {
"FieldRequired": "This field is required",
"UsernamePattern": "Please enter a valid username",
"UsernameEmailPattern": "Please enter a valid email address",
"PasswordMatch": "Passwords do not match"
},
"Alerts": {
"SuccessAlertTitle": "You have changed your password successfully.",
"SuccessAlertBody": "Please note it may take a few hours for your new password to reach all domain controllers.",
"ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator.",
"ErrorInvalidCredentials": "You need to provide the correct current password.",
"ErrorInvalidDomain": "You have supplied an invalid domain to logon to.",
"ErrorInvalidUser": "We could not find your user account.",
"ErrorCaptcha": "Could not verify you are not a robot.",
"ErrorFieldRequired": "Fulfill all the fields.",
"ErrorFieldMismatch": "The passwords do not match.",
"ErrorComplexPassword": "Failed due to password complex policies: New password length is shorter than AD minimum password length",
"ErrorConnectionLdap": "Unhandled error connecting to the LDAP server.",
"ErrorScorePassword": "The password you are trying to set is not secure enough.",
"ErrorDistancePassword": "The password you are trying to set is not diferent enough of your last password.",
"ErrorPwnedPassword": "The password you are trying to use is publicly known and can be used in dictionary attacks."
}
}
}

[4arizard]

The same with me, the password was successfully changed, but many errors appear and the account is blocked by the domain policy

[eponerine]

I confirmed that this issue happens with v4.2.0 and v4.2.4.

Using the same appsettings.json file in v4.0.0 and everything works perfectly fine. It's as if the CHANGE PASSWORD button is waiting for a 200 back, but spams the hell out of the password endpoint before it can return. I saw upwards of 8000 requests before all but 1 request errored out.

[sngoz]

@eponerine @4arizard v4.0.0 works for me. Thank you @eponerine !!!

[geoperez]

@antonioi88 just push a fix, can confirm before pushing a new version?

[vgan]

@geoperez I deployed the fix to my environment running v4.2.4 and appears to be working.

[eponerine]

For what its worth, I think the following Issues are related:

#600
#598

[ghost]

Hello,

I have the same issue. What should I do to resolve this problem. I'm using binary version downloaded from:
https://github.com/unosquare/passcore/releases/download/4.2.4/PassCore424.zip

Thak you in advance for any inforamtion.

[geoperez]

We didn't release a binary version yet, you need to compile it. I'll try to release it tomorrow.

[ps-ckrelle]

we are setting this behavior on a windows hosted box, we are testing with version 4.2.4

[ghost]

I was trying to use 4.0.0 version, but it seems working in the same way. When I press "Change password" nutton it send a lot of request. I don't have any idea what I configured wrong...

On the same server (IIS) version 3.6.4 is working very good

[4arizard]

Did I understand correctly, is it fixed in the source code? How do I compile a new binary version?

[ezeitoun]

Any plans to release a new version with the fix to this issue or provide details info how to patch the existing one (via code compile)?
Thanks!

[ndom91]

Still having this issue with 4.2.4. even when manually bumping .net from 3.1 to 5.1 in the deps.json file as mentioned in another issue here

[hkml2000]

Hi,

I downgrade to release 4.2.3 with appsettings.json from 4.2.4

it works fine

[ndom91]

Downgrading to 4.2.3 did the trick for me as well 👍

FYI - 4.2.3. still lists 4.2.0 as version in the footer. You can do a little find/replace on the wwwroot/App.xyz.js file.

[julitalvensaari]

Same here - Downgrading to 4.2.3 from 4.2.4 solved the issue for me.

[mihaimacarie98]

I have the latest version and I have a similar issue

[ndom91]

@yo2mno downgrading to 4.2.3 will fix it for the time being..

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[simonai1254]

A downgrade to 4.2.3 was the only solution for me as well as I found no option to disable the web checks. I am running Passcore in an closed environment without internet access, and there the check by design can only fail...

[NoSubstitute]

I downgraded to 3.6.4 and it works, but is of course missing some nice features.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[simonai1254]

Keepalive