-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If AllowAccountReset is set to false, the user can not change the password even if it expires so he can not log in anymore #6261
Comments
you didnt quite follow the bug template report |
also can you run |
Server Software
Client Device
Do you use external auth at all like ldap/saml/azure? Your config.json file
|
Thank u :) I will have a look when I get chance for you! I have a feeling it's calling the password reset function, and that function has a checker for allowaccountreset==false, so it might be returning false and not actually changing the password. Can u try logging in, resetting pass, login with new pass, then login with old pass? Does it still let u login with old pass after u change it to new pass Or does it just go back to the u need to change password screen? |
I can confirm this behavior as well. Will provide my config tomorrow if it’s needed though it hasn’t changed much since the last time I posted it. When allowAccountReset is set to false, all password reset functionality fails. My most recent test involved inviting a new user, setting their password, and having it prompt for reset on first login. The prompt came up successfully, they were able to type in a new password and submit it, but the password was not saved and they were able to log in again with the old, temporary password. This resulted in a permanent loop until I reset the password from my side, did not force reset, and then walked them through changing it manually after. |
ok all so i can confirm the issue |
…6261 Signed-off-by: si458 <simonsmith5521@gmail.com>
should be fixed! very simple fix here if you wanna patch and try yourselves! 8e5aa35 |
That patch does look easy but I have a couple of quick questions.
Thanks! |
@PetieM from my testing, no it shouldnt break anything! in theory it wont break any updates in the future if you patch it manually! |
Sounds good. One more thing though - what/where is this reset variable you're referring to? Is that a flag on the user? |
oh ffs! the commit doesnt work with |
lol, apologies for throwing a wrench into that otherwise elegant 1-line solution! If setting it to 0 instead of not setting it at all accomplishes the same thing, I'm okay with change that instead. |
ok ive had to revert that commit 👎
|
Maybe it would make more sense to entirely decouple the mandatory password reset for users who are already logged in (or in the process of successfully logging in) from the account recovery feature for users who have forgotten their password entirely? |
Describe the bug
When domain.passwordrequirements.reset is set to X and domain.passwordrequirements.allowaccountreset is set to 'false' then X days after user creation the user cannot log in anymore (because once he enters his credentials he will be prompted to change his password but later the new password he entered does not work)
NOTE: According to meshcentral-config-schema.json
domain.passwordrequirements.reset = Number of days after which the user is required to change the account password.
domain.passwordrequirements.allowaccountreset = If set to false, the account reset option on the login screen will not be available to users.
To Reproduce
Steps to reproduce the behaviour:
Expected behaviour
With this config, a user can not change his password unless the password expires.
When the password expires, you'll be prompted to enter a new one. Then the new password works.
Workaround
Setting domain.passwordrequirements.allowaccountreset = true avoids the problem.
Maybe there is no need to fix this scenario, but improve documentation (meshcentral-config-schema.json descriptions) this way (or similar):
domain.passwordrequirements.reset = Number of days after which the user is required to change the account password. 0 means the password never expires. NOTE: If you set this to a non-zero value, please be sure to set domain.passwordrequirements.allowaccountreset to true.
domain.passwordrequirements.allowaccountreset = If set to false, the account reset option on the login screen will not be available to users. NOTE: Set to true if you set domain.passwordrequirements.reset to a non-zero value.
The text was updated successfully, but these errors were encountered: