angular-token

angular-token copied to clipboard

The issue where the password reset requires the 'passwordCurrent' field is fixed in the repo but I belive the changes haven't been pushed to npm.

Hey @IrtazaSafi, sorry for the delayed response. I just downloaded the latest package from npm and it contains the ? in question 😄 . Could you check again? Maybe I'm doing something wrong. Thanks!

Hey. The current code has that block however, the backend still fails when I try to reset the password with the user 'logged out'. It works with the user 'logged in'. This is the frontend error that I get:

On the backend I get

Processing by DeviseTokenAuth::RegistrationsController#update as JSON Parameters: {"password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "reset_password_token"=>"[FILTERED]", "registration"=>{"password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "reset_password_token"=>"[FILTERED]"}} Unpermitted parameters: reset_password_token, registration Completed 404 Not Found in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)

Do you have any ideas why this happening?

I'm also getting same error. Checked my package and passwordCurrent is not required. @IrtazaSafi did you find any solution for this?

Did anybody find a way to fix this? I'm having this error now.

Also getting exact same error. Reset password flow only works if the user is logged in, exactly as @IrtazaSafi reported above.

This is how I managed to reset when the user is logged out. Let me know if it works for you.

https://paste.ofcode.org/RgZYFBZunbKUJMFi5u3AFL

@IrtazaSafi Thanks for posting that, which is almost identical to the code I already have, which only works if the user is logged in.

resetData does not look correct - the updatePassword method of the library accepts type UpdatePasswordData which looks like this:

export interface UpdatePasswordData {
    password: string;
    passwordConfirmation: string;
    passwordCurrent?: string;
    userType?: string;
    resetPasswordToken?: string;
}

It seems odd to me that you also have 'token' as another property, with the same params['token'] in it. I am betting that Rails is just ignoring that parameter entirely.

Also I noticed in the documentation for this method it specifically says 'logged in user':

.updatePassword() Updates the password for the logged in user. updatePassword({password: string, passwordConfirmation: string, passwordCurrent: string, userType?: string, resetPasswordToken?: string}): Observable<Response>

Are you 100% certain that users who are logged out can reset their password in your app? If you manually delete localStorage (so the current valid token is gone) and then call this, you should get the same result you reported before and that I still get - user not found.

Another thing about your reset data:

resetData = {
    password:             '',
    passwordConfirmation: '',
    passwordCurrent: null,
    resetPasswordToken:  '',
    token: '',
  };

It is setting the new password to an empty string. You should be getting the new password from a form and sending that, not an empty string.

As an example here is my code after I've called reset.

This is the form - email field is disabled so user cannot change it and resetPasswordToken is hidden.

  private buildForm(): void {
    this.form = this.fb.group({
      'email': [{ value: this._activatedRoute.snapshot.queryParams['uid'], disabled: true }],
      'password': ['', Validators.required],
      'passwordConfirmation': ['', Validators.required],
      'resetPasswordToken': [this._activatedRoute.snapshot.queryParams['token']]
    });
  }

And this is what happens when the user clicks submit:

  public onSubmit(data: UpdatePasswordData): void {
    if (this.form.valid) {
      this._authService.updatePassword(data).subscribe(
        result => {
          if (result.status === 200) {
            this._userService.user = result.json().data;
            this._toastrService.success('Your password was reset!', 'Success');
            this.slowNavigate('pages/dashboard');
          };
        },
        error => {
          this._apiErrorService.notifyErrors(error.json());
        }
      );
    };
  }

I think (but am not sure) that previously my resetPasswordCallback may have been wrong. I've just been through everything again and the only code I changed was that (so that the the redirect_url sent to the api is correct):

export const environment = {
  production: false,
  token_auth_config: {
    apiHost: 'http://localhost:3000',
    apiBase: 'http://localhost:3000/api',
    registerAccountCallback: 'http://localhost:4200/login',
    signInRedirect: 'login',
    resetPasswordCallback: 'http://localhost:4200/reset'
  }
};

resetPasswordCallback defaults to window.location.href - so will almost certainly be incorrect for most people.

Now when resetPassword is called the data sent is:

{
email: "[email protected]", 
redirect_url: "http://localhost:4200/reset"
}

It works for users that are logged out.

I am running into an issue where my app is deployed on a variety of subdomains, the goal was to have the redirect_url be determined through the window.location, however, this does not work when using AOT. Any idea how to set the resetPasswordCallback dynamically based upon the current url?