We are experiencing problems with the password reset flow.
The password reset fails with user ‘does not exist’, but signup as a new user triggers a ‘user already exist’.
How is this possible? What is going wrong?
-wim
We are having the same problem! As far as I know, the issue cropped up today for the first time.
The only way currently to reset our clients passwords is via the auth0 management console itself. Still looking into this myself, to see if we have made a mistake somewhere. I would find it interesting to know if other users are experiencing the same issue.
Hey Henk,
thank you for sharing. However, you seem to be impacted by a different issue than ours. In our situation, the reset flow doesn’t work, but neither does the users page on the dashboard. So, via that panel, we can not help our users by resetting the passwords manually.
Let us know what your issue or solution to you issue is/was.
Thanks!
-wim
I’m having the same problem.
@wim.vanleuven from my understanding the visible issue is impossibility to trigger password reset due to the user not being found, but trying to signup does detect the user. Can you provide more information about the connection, is it a custom database connection, if so, which scripts have you implemented? Does this happens for a specific user or can you repro with a newly created test user?
We don’t use a custom database connection, so we actually use the auth0 user store. But we do have a few rules installed to enrich the user profile with some additional fields. But via our api we added a middleware to create a profile id in our backend as hook for user-related data.
I tried a password reset for existing users and for a new user. Both failed!
I was failing to reproduce this situation, but then realized I was looking at the wrong thing as I was using the password reset available in the latest version of Lock 10. With the latest password reset flow even if the user does not exist you’ll get a positive response in order to avoid disclosing additional information.
You mentioned that you were getting a user does not exist message and that lead me to try this in Lock 8.2 where indeed this message can still be triggered. This version of Lock, uses a deprecated version of the change password flow so that can explain why the message appears even for a user that does indeed exist. The recommendation is to update to a version of Lock that supports the new reset password flow; have in mind this flow is somewhat different than the deprecated one. There was an ongoing migration specific to this where you can get more information.