Password reset link still valid after user is deleted

marek.71cz · December 5, 2023, 2:18pm

I have this use case:

Create new user → password reset link is sent to this user
Delete this newly created user
User (already deleted) clicks on a password reset link, he is allowed to set a new password and send a form → he receives error message like “Something went wrong…”

Is it possible to handle this situation better? For example, if the user is already deleted and he is trying to reset the password, display some message like “No longer valid link” or “You are not allowed to perform this operation”, etc., but BEFORE he sends the form, just right after he reaches password reset page.

Or is it any other solution?

Thanks.

rueben.tiow · December 5, 2023, 8:21pm

Hi @marek.71cz,

Welcome to the Auth0 Community!

I have tested your observations and successfully replicated the “Something went wrong, please try again later” error message.

This error happens when the user is deleted before resetting their password. Since the user profile is removed from the database, they won’t be able to “set a new password”.

Subsequent attempts to set a new password will result in the “This ticket was already used” error.

While you can customize the error message on the New Universal Login reset-password page template, dynamically setting different error messages is not supported.

If you still need to change the error message, you can modify the text in the 'auth0-users-validation` property on the “Screen: reset-password”.

Please let me know if you have any questions about this.

Thanks,
Rueben

system · December 19, 2023, 8:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.