Self Service Password Reset fails after upgrade to UCS 4.4

Greulich · March 14, 2019, 3:14pm

Hi there,

I installed Self Service module on UCS 4.3-3 and the password reset used to work fine.

After upgrade to UCS 4.4 the password reset procedure breaks. The E-Mail with containing the link with the token is sent (seemingly) correctly. Following the link the user is not able to set a new password, but gets on the page where he can insert his username and request a token again. The behavior is equal on both the link containing the token & username and for the blank link (https://f.q.dn/univention/self-service/#page=newpassword). I tested it with Firefox and Chrome.

The browser outputs the following error in console:

dojo.js.uncompressed.js:8581 TypeError: Cannot read property 'firstChild' of undefined
    at Object.<anonymous> (main.js:108)
    at dojo.js.uncompressed.js:2936
    at Object.forEach (dojo.js.uncompressed.js:4232)
    at Object._addSubPages (main.js:101)
    at Object.start (main.js:71)
    at Object.callback ((index):15)
    at callback (config.js:149)
    at ha (dojo.js.uncompressed.js:1164)
    at dojo.js.uncompressed.js:1330
    at ia (dojo.js.uncompressed.js:1307) "in domReady callback" "TypeError: Cannot read property 'firstChild' of undefined
    at Object.<anonymous> (https://f.q.dn/univention/self-service/main.js:108:34)
    at https://f.q.dn/univention/js/dojo/dojo.js:42:499
    at Object.forEach (https://f.q.dn/univention/js/dojo/dojo.js:57:383)
    at Object._addSubPages (https://f.q.dn/univention/self-service/main.js:101:10)
    at Object.start (https://f.q.dn/univention/self-service/main.js:71:9)
    at Object.callback (https://f.q.dn/univention/self-service/:15:18)
    at callback (https://f.q.dn/univention/js/config.js:149:22)
    at ha (https://f.q.dn/univention/js/dojo/dojo.js:20:170)
    at https://f.q.dn/univention/js/dojo/dojo.js:20:425
    at ia (https://f.q.dn/univention/js/dojo/dojo.js:20:292)"

Reinstallation of the Self Service module and reboot of the machine didn’t change the behavior.

Thanks for your advice!

Best regards,
Greulich

Christian_Voelker · March 14, 2019, 4:01pm

Hi,

have you rebooted the server?

Have you cleaned your browser cache (or “Reload”)?

/CV

Moritz_Bunkus · March 14, 2019, 4:28pm

I can reproduce this problem. The recovery mail sends two links, one that’s supposed to reset the password directly by including the token in the URL, and one that’s supposed to open the page where you can enter the user name, the token & the new password manually.

Unfortunately both links result in the start page where you can enter the user name & select the recovery method — and then another token is sent.

The whole process only works if you do the steps, do not close the browser window (as it’s showing the “enter user name, token & new password” page after sending the token), wait for the recovery token to arrive & to enter then.

You should probably open a bug over on the bug tracker. I’m a bit pressed for time; otherwise I’d do it myself.

Greulich · March 14, 2019, 5:59pm

Hello again,

thanks for your response!

Cleaning the browser cache and rebooting the server doesn’t change the behavior.

I found the following old bug with the same behavior in bugzilla, so I didn’t create a new one:
https://forge.univention.org/bugzilla/show_bug.cgi?id=45041

Best regards,
Greulich

Best · March 14, 2019, 6:09pm

What browser + version are you using?

Moritz_Bunkus · March 15, 2019, 8:27am

In my case: Vivaldi 2.4.1468.4, Google Chrome 72.0.3626.81 and Firefox 65.0.2. With each visiting the link sent in the mail lands me here:

DeepinScreenshot_select-area_20190315092615

…which is the dialog to generate a new token, not the dialog to use the already-sent token to set a new password.

Best · March 15, 2019, 8:30am

Can you assure that the urlencoding of the link is correct? Maybe the e-mail encoding is broken. In my test I could access it.

Moritz_Bunkus · March 15, 2019, 9:47am

I copy-pasted from two different email programs. I really don’t think they both would be able to get it wrong, especially as I use both all the time for copy-pasting URLs.

Just to be sure, here’s the raw email as downloaded via IMAP:

Return-Path: <noreply@master.mbu-test.intranet>
X-Original-To: m.bunkus@linet-services.de
Delivered-To: mbunkus@localhost
Received: from master.mbu-test.intranet (unknown [IPv6:2001:1640:141:e:1::6e])
	by merrimack.linet-services.de (Postfix) with ESMTPS id D9BFEFC08B2
	for <m.bunkus@linet-services.de>; Thu, 14 Mar 2019 17:23:18 +0100 (CET)
Received: from master.mbu-test.intranet (localhost [IPv6:::1])
	by master.mbu-test.intranet (Postfix) with ESMTP id E427FABACBF
	for <m.bunkus@linet-services.de>; Thu, 14 Mar 2019 17:23:17 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Subject: Password reset
Date: Thu, 14 Mar 2019 17:23:17 +0100
From: Password Reset Service <noreply@master.mbu-test.intranet>
To: m.bunkus@linet-services.de
Content-Transfer-Encoding: quoted-printable
X-TUID: aB14RcTbZSxd

Dear user mbunkus,

we have received a password reset request for your account. If you did not
wish to change your password, you can safely ignore this message.

To change your password please follow this link:

https://master.mbu-test.intranet/univention/self-service/#page=3Dnewpasswor=
d&token=3Dmffvd7CZCPxWQLvM4dYQbdXjvqhHSF5SXoVQUtHx6UqDPGtsFEVENjF6pPnM3RNF&=
username=3Dmbunkus

If the link does not work, you can go to

https://master.mbu-test.intranet/univention/self-service/#page=3Dnewpassword

and enter the following token manually:

mffvd7CZCPxWQLvM4dYQbdXjvqhHSF5SXoVQUtHx6UqDPGtsFEVENjF6pPnM3RNF

Greetings from your password self service system.

So decoding the quoted-printable URL leads to

https://master.mbu-test.intranet/univention/self-service/#page=newpassword&token=mffvd7CZCPxWQLvM4dYQbdXjvqhHSF5SXoVQUtHx6UqDPGtsFEVENjF6pPnM3RNF&username=mbunkus

and visiting that URL shows the same issue. Even with cleared cache, in a privacy mode window etc. My browser’s JavaScript console shows the same “Cannot read property ‘firstChild’ of undefined” error the original poster mentioned.

Nutzername · March 19, 2019, 11:45am

Hello,
I’m having this problem to. I upgraded three Servers to UCS 4.4-0 errata-5. The only way to use the password reset page, is to stay on it and paste the token from the email in it. I rebooted all three servers and tried removing and installing the self-help-app. There is an old bug report from 2017. Would it be reasonable to open another one?

Moritz_Bunkus · March 20, 2019, 9:37am

The bug tracker would definitely a better place to track such an issue — so yeah, please do so.

Corin · April 2, 2019, 12:05pm

i have the same problem.

@Nutzername may you share the link to the bug report?

Nutzername · April 2, 2019, 12:19pm

Here you go: BugTracker

badzoo · April 18, 2019, 8:55pm

i also have the same problem.