Universal - Reset pass failed with 400

Help
,
1

Ready to post? :mag: First, try searching for your answer.
Hi,
I tried to trigger a reset password flow but it didn’t work and threw an error: “Something went wrong, please try again later”.

image
image830×1174 44 KB

I found this form called an API “http://[app domain]/dbconnections/change_password” and this is a request and response.

curl --location 'https://domain.us.auth0.com/dbconnections/change_password' \
--header 'Content-Type: application/json' \
--data-raw '{
    "client_id": "e285NLp2XVP9tnxxxxxx",
    "email": "kamxxxx@gmail.com",
    "connection": "Username-Password-Authentication"
}'

response:
{"fromSandbox":true,"message":"","name":"kamxxxx@gmail.com","user_id":"179287196453xxx","statusCode":400}

This is a log from Auth0 management logs.

{
    "date": "2024-05-23T09:14:53.311Z",
    "type": "fcpr",
    "description": "unknown error",
    "connection": "Username-Password-Authentication",
    "connection_id": "con_qAw1QB9l7npMdvfO",
    "client_id": "e285NLp2xxxxxxx",
    "client_name": "Default App"
}

Please help me figure out this error!

Thanks!

2

Hi there @phuong.le -

I would double-check if the connection: Username-Password-Authentication is enabled for the client application in your Auth0 tenant.

Also, please make sure the user for which you attempt to trigger the password reset is already present in the Username-Password-Authentication user pool (as you can’t reset a password for a user that doesn’t exist in a specific connection).

I hope this helps you - otherwise, let me know, and we’ll be looking further into it :slight_smile:

3

Hi @marcelina.barycka!

I checked with an existing user. I used a custom database and I also checked successfully create user, login, verify email, and sign-up flows.

This application is using this connection: Username-Password-Authentication

image
image2284×778 105 KB

This is the user in the custom database: Username-Password-Authentication

image
image2360×718 98.9 KB

Please let me know if you need more information to clarify this issue.

4

Hi there @phuong.le !

I had another look into what you reported, and one thing has caught my eye:

The error log says that the password reset request failed for the "client_name": "Default App" while the screenshot shows that the Username-Password-Authentication connection is enabled for the client name: Intrepid-Auth0-Dev. These are two different client applications.

I would say this is most likely the source of error :slight_smile:

To reiterate, enabling the Username-Password-Authentication connection for the "client_name": "Default App" on a relevant Auth0 tenant should make your request work.

Let us know if that solved your problem :+1:

5

Hi @marcelina.barycka !

I checked your suggestion but it still failed. I logged in successfully, so I guess it is not a problem because I just changed the app name (The client ID of the app has not changed).

image
image1120×1716 53.9 KB

image
image1950×1506 179 KB

image
image2176×1272 122 KB

Thank you!

6

Hi @phuong.le,

One possible reason for this failure is the network configuration on your side.
I remember once I worked on a case where our customer’s machine, under a corporate network, could not access CDN URLs with libraries that had been utilized by the Login widget, and as a result, requests within the respective flow were malformed.

It’s hard for me to tell what exactly is happening here, as I can’t reproduce this issue under regular network settings (it works for me well). Maybe requests sent from the machine are incorrectly routed.

If you can submit a support case, please attach a HAR file there (in the Community, due to security reasons, we do not accept HAR files).

I remain available in case of further questions.

7

Hi @marcelina.barycka !

I tried to run at my office and my home but they have the same error. I have asked my colleague to run from his laptop, but the error is still there.
I have already raised the support ticket with HAR files.

I appreciate your support!

8

Hi @marcelina.barycka !

I have raised a ticket for 3 days but haven’t received any support from Auth0. Could you please advise me on how to expedite the process of raising a ticket to the support team?

I checked the reset-pass flow and saw it executed the getByEmail script and a responded result:

image
image1376×438 18.7 KB

I don’t understand why the user has a verified email but is still encountering an error when trying to reset the password. Do you know how to obtain more debug logs from Auth0 management?

image
image2196×1138 179 KB

image
image946×1234 50.5 KB

image
image2274×1676 315 KB

I attempted a new app with the Auth0 User Store, and the reset password worked well, so I think it is a DNS error as you mentioned.

Thank you!

9

Hi there @phuong.le ,

I found your tenant name internally to look more into your configurations. I can see that the reset password flow runs against your external database connection because the import mode (to migrate the user to the Auth0 store) is turned off.

Because of that, I would double-check the corresponding to your custom database “Change Password” script.
For debugging, you can install and use our extension “Real-time Webtask Logs” tool

image
image1042×926 31.3 KB

To see what’s happening in your “Change Password” script while it is being run, you can add consol.log() on each step to print the responses and inspect them via the Real-time Webtask Logs.

10

This is my changePassword script.

async function changePassword(email, newPassword, callback) {
	const apiEndpoint = configuration.apiEndpoint + '/change-password';
  const apiKey = configuration.apiKey;
  const bcrypt = require('bcrypt');
  const salt = 10;
  const hashedPassword = bcrypt.hash(newPassword, salt);
  const body = JSON.stringify({
			email: email,
			password: hashedPassword
	});
	const options = {
		method: 'POST',
		body: body,
    headers: {
      "Content-Type": "application/json",
      "api-key": apiKey
    }
	};

  console.log('Change pass: ', apiEndpoint, options);
	const response = await fetch(apiEndpoint, options);
	if (!response.ok) {
    console.log('change pass error: ', response);
		return callback(new Error(`HTTP error: ${response.statusText}!`));
	}

	const result = await response.json();
  console.log('Change pass result: ', email, result);
	if (result.code !== 0) {
		return callback(new Error(result.error));
	}
  
	return callback(null, { "last_password_reset": Date.now() });
}

I used the extension that you mentioned and saw only a log at a step where Auth0 executed the getUser script (with a valid profile), and the reset password flow stopped here with the error “Something went wrong, please try again later” and I didn’t receive a reset password email, so I think my script changePassword didn’t reach. Could we have a log that shows why the flow stopped without sending a reset-password email?

Thank you!

13

Hi @phuong.le ,

I further checked that I realized that the change password script will fire once a user click on the confirmation link. Thus, you will not see any logs from the consol.log prints, as the user is not getting the link.

But it doesn’t mean the script is not validated at the moment of sending the request to
https://subdomain.auth0.com/dbconnections/change_password?client_id=iALd....VR89&email=m.....ka@okta.com&connection=t...d

(I received 400 error code when calling the above URL while not having the appropriate custom database script set on my auth0 tenant).

I noticed that the ‘Change Password’ script for your custom database intends to send a new password plainly (without hashing it first).

Could you please verify if your custom database endpoint, which is responsible for receiving the new passwords, accepts plain text? Maybe you need to hash it first (and implement hashing similar to what is suggested in our example Change Password script in this doc)?

14

Or maybe the external database endpoint (‘…/change-password’) to receive a new password, which is specified in the script as const apiEndpoint = configuration.apiEndpoint + '/change-password', is wrong? :thinking:

15

@phuong.le In your ‘Get User’ script, on the other hand, I noticed that you use a POST method when trying to retrieve (GET) an entry from your database (to determine if the user exists).

The ‘Get User’ script is fired first in both cases - when attempting to log in or resetting the password.

16

This is my bad in the getUser script, it should callback(null, profile), but I callback with the wrong param.

Thank you @marcelina.barycka

1 Like
17

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.