Details
-
Bug
-
Resolution: Duplicate
-
Minor
-
None
-
None
-
Unknown
-
N/A
-
N/A
-
Description
Since the password reset link is one-time use, services such as Microsoft "safe link" break the password reset process by issuing a request to the link before the user does.
It seems like a 'HEAD' requests are used for this, so filtering out those might help:
diff --git a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resetpasswordinline.vm b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resetpasswordinline.vm index 2482cd2dd98..e7979907575 100644 --- a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resetpasswordinline.vm +++ b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resetpasswordinline.vm @@ -147,7 +147,7 @@ $services.localization.render('xe.admin.passwordReset.instructions') #elseif (!$services.csrf.isTokenValid($request.form_token)) #resetPasswordBoxStart("danger") $services.localization.render('xe.admin.passwordReset.error.csrf') - #else + #elseif ($request.method.toLowerCase() != 'head') #validateFields($passwordFields, $request) #if (!$allFieldsValid) #displayForm($stringtool.join($allFieldsErrors, "<br/>") $validationString)
Attachments
Issue Links
- duplicates
-
XWIKI-19077 Less strict code verification in the reset password system
- Closed