Problem redirecting users to reset password in a rule

ariel1 · July 23, 2020, 7:34pm

Hello!

I have created a rule to redirect all user/password users that never changed their password to the reset password UI. It looks like it’s working (most of it) but when the redirection happens, the reset password UI redirects back to the login and the user ends up in a login loop, always being asked to login. The problem is that when using context.redirect.url, a state is being added to the query string and that seems to trigger the unwanted redirect.

Is there a way to disable that state from being added to the URL? Is it expected that the reset password UI redirects when that query param is present?

Here is the code I’m using for that purpose.

function (user, context, callback) {
  const ManagementClient = require('auth0@2.27.0').ManagementClient;
  const url = require('url@0.10.3');

  const managementClient = new ManagementClient({
    clientId: context.clientID,
    clientSecret: configuration.auth0_clientSecret,
    domain: auth0.domain,
    scope: 'create:user_tickets',
  });

  // if user has already changed their password or it's not using a password, then there's nothing to do here.
  const { connectionStrategy, protocol } = context;
  if (user.last_password_reset || connectionStrategy !== 'auth0' || protocol === 'redirect-callback') {
    return callback(null, user, context);
  }

  // request a password change url
  const params = {
    result_url: url.format({ // Redirect after using the ticket.
      hostname: context.request.hostname,
      pathname: '/continue',
      protocol: 'https',
      query: context.request.query,
    }),
    ttl_sec: 10 * 60,
  	user_id: user.user_id,
  };
  managementClient.createPasswordChangeTicket(params, function (err, res) {
    if (err) {
  		return callback(err, user, context);
    }

    // redirect to password change url
    context.redirect = { url: res.ticket };
    return callback(null, user, context);
  });
}

Thanks!

dan.woda · July 24, 2020, 3:00pm

Hi @ariel1,

There is no way to remove state from this transaction, as it is the mechanism for preventing CSRF.

There is a way to do this though, and it is outlined here:

ariel1 · July 24, 2020, 3:18pm

Thanks for the reply.

I tried following that article but it involves creating a jwt token and server handler that redirects to auth0’s password reset page. I think the solution would be much simpler if there was a way to prevent the redirect from happening in auth0’s password reset page when a state query param is present.

Is there a way to NOT get redirected from auth0’s password reset page?

dan.woda · July 27, 2020, 9:10pm

Yes, if you are using New UL, and you have not specified a tenant level login URI, or an application level login URI. But this may mess up some other aspects of your password reset process.

This sound like it might benefit from a feature request. Can you submit one via our product feedback page? Thanks!
Dan

ariel1 · July 27, 2020, 11:04pm

I’m using the new universal layout, removed tenant and application level login URI but now I get the following error when on the reset password page.

There could be a misconfiguration in the system or a service outage. We track these errors automatically, but if the problem persists feel free to contact us.

It’s a pity. I’ll submit this as feedback. Thanks anyway.

dan.woda · July 28, 2020, 9:03pm

Thanks for taking the time to submit.

system · August 12, 2020, 9:03pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.