pwm icon indicating copy to clipboard operation
pwm copied to clipboard

Published 20 hours ago verified publisher icon pwm-project

forgottenpassword API throws a NullPointerException after the second request

Open tothf opened this issue 1 year ago • 3 comments

Describe the bug The forgottenpassword API is crashing after second request when the user search and verification detection is complete.

To Reproduce Steps to reproduce the behavior:

  1. Install PWM 2.0.3 war on tomcat or run PWM 2.0.6 docker image
  2. Configure MSAD or FreeIPA with OpenLDAP
  3. Configure Postgres as an External database and store all information there, including TOKENs
  4. Configure the Forgotten password module with only SMS/Email TOKEN required
  5. Enable REST service and /forgottenpassword for public use
  6. Send the first request to the forgotten password API
  7. Send a second request with the required form data and state in the request body
  8. Response will be a 5015 Internal error

Expected behavior The third response should be METHOD_CHOICE or TOKEN_CHOICE

Screenshots first_req second_req

Desktop (please complete the following information): It is in the trace log

Smartphone (please complete the following information): N/A

Additional context trace.log

tothf avatar Sep 21 '23 03:09 tothf

Found a partial workaround.

Configure Forgotten Password profile:

  • Set SMS/Email Token Verification as optional
  • Set Minimum Optional Required to 1

After this the API proceeds further, sends email with TOKEN, accepts the TOKEN, removes the claimed TOKEN from DB and sends response COMPLETE with the message "The password has been changed successfully." However the user does not get it's password changed in LDAP and no email sent with the new password either.

Attached the trace log for the last request which is sending the TOKEN in. trace_half_success.log

tothf avatar Sep 21 '23 09:09 tothf

... sends response COMPLETE with the message "The password has been changed successfully." However, the user did not get it's password changed in LDAP and no email sent with the new password either.

I think I've found the problem with this one here: https://github.com/pwm-project/pwm/blob/529dc0cdac9e9afa80c2627a1ea2dc141d599376/server/src/main/java/password/pwm/http/servlet/forgottenpw/ForgottenPasswordStageProcessor.java#L385C13-L385C13

When we have "Send Password" or "Send Password and expire" configured, this if statemen checks if we can reset the password or unlock the account only, then it returns with the COMPLETE state without doing anything else.

The only way to make it work is to set the Forgotten Password Action to "Allow user to type in new password". Managed to change user password via REST API with all settings configured as mentioned before.

tothf avatar Sep 25 '23 09:09 tothf

Thanks for the detailed report. I'm not sure when I'll have time but I'll do my best to get to this soon.

jrivard avatar Sep 25 '23 21:09 jrivard