Invalid password reset link

Development
1

Hello,

I stumbled on one issue, and I’m not sure whether I discovered a bug, or perhaps I do something wrong.

When user enters their credentials incorrectly too many times, they are prompted with a screen like this:

Password-recovery
Password-recovery672×750 34 KB

The hyperlink in “you can reset your password here…” points to a non existing site page:
http://<your_openedx_lms_address>/reset

Comeno-page-doesnt-exist
Comeno-page-doesnt-exist1261×1056 49.1 KB

I did some investigation, and it looks like there’s another url which works:
http://<your_openedx_lms_address>/password_assistance

password-assistance
password-assistance1261×1056 48 KB

This url seems to be the correct one. The form “Password assistance” is displayed also on edx.org, which I take as a ground source of truth.

The file responsible for rendering this incorrect url (/reset instead of /password_assistance) is located here:
edx-platform/openedx/core/djangoapps/user_authn/views/login.py

Now back to my questions:

  • Do you face the same issue when usign latest Open edX?
  • Is it a bug, or I just misconfigured something on my end (I’m using native install)
  • If it’s a bug, where should I report it?
  • Is there a way how to temporarily modify the file inside edX comprehensive theme? I think views can’t be overridden.

Thanks for all your answers.

2

For now, I fixed my issue with this script:

sudo sed -i -e "s/\/reset/\/password_assistance/g" /edx/app/edxapp/edx-platform/openedx/core/djangoapps/user_authn/views/login.py
sudo /edx/bin/supervisorctl reload
3

Hi @vzahradnik!

I haven’t confirmed it, but it sure looks like a bug. This is Koa, right? Would it be too much to ask for you to confirm that it’s still an issue in Lilac? If it is, the best place for you to open a bug would be in the build-test-release working group’s issue board.

(The reason I ask for Lilac confirmation is that the community-run group only supports the latest release - Koa is now unsupported.)

4

I will definitely check. I didn’t know Lilac was already released, probably I’ll upgrade too.

5

edx.org uses the /reset link: Authn | edX

This is provided by the new frontend app, frontend-app-authn, but I’m not sure exactly how this MFE gets installed, or which releases are using it.

These sandboxes were deployed with the openedx_native.yml playbook, and their “reset password” links use /reset and are working ok.

They all share similar ansible variables, and I believe the relevant ones here are:

EDXAPP_FEATURES:
   ENABLE_COMBINED_LOGIN_REGISTRATION: true
EDXAPP_ENABLE_COMPREHENSIVE_THEMING: true
EDXAPP_COMPREHENSIVE_THEME_DIRS:
- /edx/var/edxapp/themes

The branding-theming-sandbox also adds these for the edx-simple-theme:

EDXAPP_COMPREHENSIVE_THEME_SOURCE_REPO: https://github.com/open-craft/edx-simple-theme/
EDXAPP_COMPREHENSIVE_THEME_VERSION: master
EDXAPP_DEFAULT_SITE_THEME: simple-theme
SIMPLETHEME_ENABLE_DEPLOY: true
SIMPLETHEME_SASS_OVERRIDES: [ /* snip: lots of things */]
SIMPLETHEME_STATIC_FILES_URLS: [ /* snip: few of these too */]

Unfortunately the new MFEs aren’t themable with comprehensive themes, you have to replace the whole package to change anything. But since this appears to be something we need to fix, then it would be better to fix it upstream than for you to have to maintain a custom fix.

It definitely sounds like a bug, but I’m curious as to why we’re not seeing it too. Can you provide some more details about your installation process?

  • native or Tutor? (You said native, so just confirming.)
  • EDX_PLATFORM_VERSION
  • configuration_version
  • playbook used
  • any non-sensitive ansible variables that you can share
6

Thanks for detailed comments.

  • We’re using native install
  • Koa/3
  • configuration_version - What exactly do you mean?
  • playbooks used - Default playbooks deployed with native install script
  • We didn’t modify ansible stack. Most of our modifications are in lms.yml and studio.yml; as far as I can tell there’s no config variable to specify the /reset URL.

Please let me know if you need more details. I can try to dig it up.

7

One more thing for you to check:

  • There are two ways how password reset works
  • The first way is through html forms, in which case /reset works also for me
  • The second way is when you want to access direct link www.yourdomain/reset. I got to this link only when I entered my password wrong too many times. Most users don’t face this issue as long as they know their password to edX
8

Interesting.

That /reset link works fine for me if I click on it from the /login page, but only in that browser session. It 404s for me if I open it in a new window, and will probably break for you too if you click on these links: master /reset, lilac.master /reset and koa.3 /reset

I believe this is because of the Javascript client-side routing that React is doing for the MFE. This StackOverflow post explains it well: React-router urls don’t work when refreshing or writing manually: answer

My guess is, edx.org solved this by registering the /reset URL on the server side too, so that authn.edx.org/reset is also directed to the MFE. But by default, only /login and /register are known on the server side, as you found by changing user_authn/views/login.py.

To fix this in master, the change needs to be made in a slightly different place: user_authn/urls.py, and we should support both /reset and /password_assistance.

Would you like to submit a PR to get this fixed for master, and then we can pull it into lilac?