14003
Reporter: ahahn
Assignee: cvizitiu
Type: Feedback
Summary: Password reset does not work for me
Resolution: Invalid
Status: Closed
Created: 2013-09-19 16:38:39.47
Updated: 2013-09-20 10:06:16.788
Resolved: 2013-09-20 10:06:16.765
Description: Trying to log in to start a download, forgot my username and/or password, requesting a reset through the "forgot your password? link at uat.gbif.org/user: receive a confirmation page that information has been sent to my email, but nothing arrives in the email account (including spam folder). Several attempts.
I seem to remember we have seen that effect a while ago, where it had something to do with maximum number of attempts locking something. The limit had been raised (or the wait time before unlocking set to 0, I forget which). Is it possible that limit made it back into the portal?]]>
Author: cvizitiu@gbif.org
Created: 2013-09-19 21:20:18.127
Updated: 2013-09-19 21:20:18.127
1. The reset worked for me immediately
2. Requesting a reset for ahahn@gbif.org resulted immediately in
Sep 19 21:16:45 gerula postfix/qmgr[2097]: E53C06E80A7: from=, size=1188, nrcpt=1 (queue active)
Sep 19 21:16:45 gerula postfix/smtp[9177]: E53C06E80A7: to=, orig_to=, relay=aino.gbif.org[192.38.28.60]:25, delay=0.07, delays=0.07/0/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 02B1B42D14)
... on our email gateway
3. I've deleted a certain a.hahn user while migrating the data today
4. If you request a reset for an invalid user, NO WARING WILL BE DISPLAYED. And this is on purpose, otherwise anybody could write a script to verify users against our login.
I'm closing as invalid, reporter re-open if you have a clear reproducible procedure using the email address.
Author: trobertson@gbif.org
Created: 2013-09-20 08:35:37.475
Updated: 2013-09-20 08:35:37.475
[~ahahn@gbif.org] Can you please let Cip know the username you were resetting. I believe it to be the one you created months ago, so this could well be a genuine issue we need to understand - especially since this happened twice to you.
Cip, please only close this one with agreement from Andrea that it is resolved. Let's find her account name, check the entry is in the table, and watch it happen on Andrea's machine. If this is real, it means people can't manage their accounts.
Last time it was related to the thresholds as Andrea explained in the issue. We should verify those changes are still in effect. (wait time stuff)
Author: ahahn@gbif.org
Created: 2013-09-20 09:37:01.903
Updated: 2013-09-20 09:37:01.903
To reproduce (same this morning):
- opened http://uat.gbif.org/user/login
- typed user name "Andrea" and supposed password
- receive error message "Sorry, unrecognized username or password. Have you forgotten your password?"
- click on "Forgot your password?"
- form http://uat.gbif.org/user/password asks for username or e-mail address
- enter GBIF email address, click on "Reset my password"
- get "Status message: Further instructions have been sent to your e-mail address." (http://uat.gbif.org/user)
- no email arrives (incl spambox)
N.B.: the form does not ask to enter your username AND e-mail address. From uat.gbif.org/user/login it would just as well be possible to immediately click on "Forgot your password" and enter an email address, without ever capturing any user name to verify against. Even if a user does not remember their user name, entering a correct registered email should give them the mail with instructions.
N.B.2: if you wanted to safeguard against people scripting for finding valid user names, then the feedback form after entering a name into http://uat.gbif.org/user/password needs to be reconsidered: on entering an invalid user name ("ahahn") instead of an email, it clearly tells you "Sorry, ahahn is not recognized as a user name or email address"). However, I consider it a valid case to handle not only password resets, but also forgotten user names. Both should be content of the email.
Needless to say, this makes for a very frustrating user experience. a.hahn was a fallback user I created because the same effect had prevented me from running downloads last week. Should we have a policy on account deletions?
Author: cvizitiu@gbif.org
Created: 2013-09-20 09:53:05.991
Updated: 2013-09-20 09:53:05.991
Again:
The reset requested by Andrea at 9:29 can be traced in the SMTP gateway logs:
Sep 20 09:29:48 gerula postfix/qmgr[12878]: D38716E80B1: from=, size=1188, nrcpt=1 (queue active)
Sep 20 09:29:48 gerula postfix/smtpd[15129]: disconnect from jawa.gbif.org[130.226.238.239]
Sep 20 09:29:48 gerula postfix/smtp[15124]: D38716E80B1: to=, orig_to=, relay=aino.gbif.org[192.38.28.60]:25, delay=0.1, delays=
0.1/0/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as EBE2842D15)
The delivery ticket "EBE2842D15" can be traced in the user's mail spool folder:
# grep -ir EBE2842D15 *
498.: by aino.gbif.org (Postfix) with ESMTP id EBE2842D15
In this particular case I've traced it down to the user's server side email filters
[...]
#START_SIEVE_RULEYTo1OntzOjQ6ImNvbmQiO2E6MTp7aTowO2E6NDp7czo0OiJ0eXBlIjtzOjY6ImhlYWRlciI7czo2OiJoZWFkZXIiO3M6NDoiRnJvbSI7czo5OiJtYXRjaHR5cGUiO3M6ODoiY29udGFpbnMiO3M6
[...]
*header :contains "From" "uat-portal@gbif.org"*
{
fileinto *"INBOX.uatPortalDownloads"*;
stop;
}
Author: cvizitiu@gbif.org
Created: 2013-09-20 09:54:34.122
Updated: 2013-09-20 09:54:34.122
Update: searching the user's spool directory reveals the other email requests too:
# grep "reset the password" *
449.:A request to reset the password for your account has been made at GBIF.ORG.
450.:A request to reset the password for your account has been made at GBIF.ORG.
451.:A request to reset the password for your account has been made at GBIF.ORG.
452.:A request to reset the password for your account has been made at GBIF.ORG.
454.:A request to reset the password for your account has been made at GBIF.ORG.
478.:A request to reset the password for your account has been made at GBIF.ORG.
479.:A request to reset the password for your account has been made at GBIF.ORG.
480.:A request to reset the password for your account has been made at GBIF.ORG.
489.:A request to reset the password for your account has been made at GBIF.ORG.
492.:A request to reset the password for your account has been made at GBIF.ORG.
493.:A request to reset the password for your account has been made at GBIF.ORG.
494.:A request to reset the password for your account has been made at GBIF.ORG.
495.:A request to reset the password for your account has been made at GBIF.ORG.
496.:A request to reset the password for your account has been made at GBIF.ORG.
497.:A request to reset the password for your account has been made at GBIF.ORG.
498.:A request to reset the password for your account has been made at GBIF.ORG.
499.:A request to reset the password for your account has been made at GBIF.ORG.
Not a bug.
Author: ahahn@gbif.org
Created: 2013-09-20 09:56:33.103
Updated: 2013-09-20 09:56:33.103
Oops, sorry - my mistake. Forgot that folder. Apologies!
That only leaves this then:
N.B.2: if you wanted to safeguard against people scripting for finding valid user names, then the feedback form after entering a name into http://uat.gbif.org/user/password needs to be reconsidered: on entering an invalid user name ("ahahn") instead of an email, it clearly tells you "Sorry, ahahn is not recognized as a user name or email address"). However, I consider it a valid case to handle not only password resets, but also forgotten user names. Both should be content of the email.