@sheldonli999 , thank you for report.

Unfortunately I was not able to reproduce the main issue you described.
Could you please provide us with more information? Like versions of PHP, MySQL and web server. Also it can be helpful if you describe settings of your Magento instance: was it fresh install or upgrade from previous version? Do you have many store views? Maybe some other settings.

Additionally, as I see you mentioned two other problems in this ticket:

• that customer was not able to reset his password;
• problem with webapi
  Could you please describe them as separate issues with detailed descriptions and steps? So that it will be easier to track each problem. Additionally I'm not sure what exact steps I should do to reproduce the last mentioned issue.

I was able to change customer's password in three ways:

1. From customer's dashboard
2. Via 'Forgot Your Password?' link
3. From admin area using 'Reset Password' button as described in steps
   So if you provide additional data I can continue investigation.

@sheldonli999 , the only way I was able to reproduce the error was , when I didn't have a SMTP server installed.

I am able to reproduce the bug easily. Select a customer and edit it (inside admin backend). Click the reset password link, and received an email. Click the link inside the email. Typed in the new password. The error is displayed. Please see the attached screenshot. I can't find any exceptions in the log.

Now click the forget password link on the frontend page (customer page), filled the email address. An error occurred. Please see the attached.

@sheldonli999 , thank you for screenshots.
Unfortunately I still was not able to reproduce the issue.
Could you please answer my questions from a comment above? Probably you missed it, but your answers can help us in issue reproducing.

According to contributor guide, tickets without response for two weeks should be closed.

@andimov @veloraven : having this issue in 2.1 as well.

This happens if you reset the customer password more than once.

• goto customer
• click reset password
  
  
  
  • correct notification should appear
  
  
• click reset password again
  
  
  
  • error, "Something went wrong while resetting password."
  
  

this should be re-opened

I same error with old customer creat before update to magento 2.1

Customer can't login, massenger: An unspecified error occurred. Please contact us for assistance.
When customer reset password, messenger error: We're unable to send the password reset email.
When i reset password from admin, massenger error: Something went wrong while resetting customer password.
My server:
VPS1: Apache 2.4; php 7.0.10
VPS2: Mysql 5.6
How to fix?

The problem is that there is still an unanswered forgot email. In the database a rp_token gets generated for that client and as long as that exists then you will receive this error. This is NOT a bug. But the error handling should be more descriptive.

To solve go into the database where the users are. update rp_token to null and it will work, or give the system to update itself( like 20 min). I'm assuming when the cron does it's thing.

Cheers.

I was check again, some customer still not login.

Hi. I have the same problem. When I have reseted password for one customer I can not reset password to another customer from my PC. Please see to class: app/code/Magento/Security/Model/SecurityChecker/Frequency.php, method loadLastRecordCreationTimestamp. This method return the last date when was reseted password(of any customers). I think that it`s wrong because this method must return the last date of any reset ONLY for this customer.

@veloraven : @Omar-Oleh Omar is right, I just checked. This needs to be labeled a bug.

@Omar-Oleh, @crantron
Please, provide steps to reproduce according to the Issue reporting guidelines.

• Create multiple stores
• create a customer for each store
• choose one of those customers to reset the password
  
  
  
  • do not fully reset the password.
  
  
  • make sure rp_token and rp_token_created_at != NULL
  
  
• now select another customer in a different store.
  
  
  
  • you wont be able to reset the password for ANY other customer while rp_token_created_at for the latter customer still exists.
  
  

Expected result
If a reset password token is set for one customer, it shouldn't effect other customers and them resetting their password.

+1 I got the same issue. Will investigate to get you more details, but this issue is real. Please do not close it without diving deep and resolving.
M2.1.1

TO temporarily fix this issue, will have to run often, but run the mysql queries.

UPDATE customer_entity SET rp_token=NULL;
UPDATE customer_entity SET rp_token_created_at=NULL;

you'll then be able to send out notifications.
@apurv-anand

Internal ticket created MAGETWO-59090. Thanks for reporting

@sheldonli999
Fix for this issue was delivered to develop branch. Pls feel free to check it in develop and reopen if need

• Fix for Magento 2.1 will be delivered late in scope of internal ticket MAGETWO-59416

I think this needs to be reopened. @sdzhepa I tried the fix from the develop branch, but unfortunately this does not fix this issue completely.

It only fixes the type of error message a user gets (by throwing a SecurityViolationException in stead of a normal Exception). It still doesn't fix the issue mentioned earlier by @Omar-Oleh and @crantron.

Steps to reproduce on Magento 2.1.2:

1. Apply fixed files from 7a67ac94dd9a925256f2c94b4ebc597f5e949206
2. Clear all rp_token and rp_token_created_at values in the customer_entity column:
   UPDATE customer_entity SET rp_token=NULL;
UPDATE customer_entity SET rp_token_created_at=NULL;
3. Go to admin, click "Reset Password" for a customer. This should work.
4. (OPTIONAL) Reset the customer's password via the received email link. This will probably work as well.
5. Go to another customer, click "Reset Password". This will throw the following error:
   

Executing step 4 is optional, I get the same result in both cases.

I'm still having problems with this as well:
Steps to reproduce on Magento 2.1.2:

1. Apply fixed files from 7a67ac9
2. Clear all rp_token and rp_token_created_at values in the customer_entity column:
   UPDATE customer_entity SET rp_token=NULL;
   UPDATE customer_entity SET rp_token_created_at=NULL;
3. Send password reset email by clicking link in admin or frontend
4. Reset the customer's password via the received email link.
5. Try the new password gives:
   "INVALID LOGIN OR PASSWORD."

I also was seeing the "Too many password reset requests. Please wait and try again or contact xxx"
I turned off the settings for resetting passwords limits... but it is still a bug.

I'm running 2.1.0, got a project just about to launch now I cannot create/reset password when I add new customer. Steps to reproduce:
1) Add a new website - Wholesale
2) Add a new customer and assign him to Webiste: Wholesale, Customer Group: Wholesale.

Notification email sends ok, but once I try to create the password, it give error: Something went wrong while saving the new password.

I have tried clear all rp_token and rp_token_created_at values in the customer_entity column:
UPDATE customer_entity SET rp_token=NULL; UPDATE customer_entity SET rp_token_created_at=NULL;

It didn't work for me at all, still gives the same error. Any work around suggestion will be appreciated!

now all I'm getting is YOUR PASSWORD RESET LINK HAS EXPIRED.

I'm getting this issue as well in 2.1.2

I also had the same issue on 2.1.0 (yes, I _am_ upgrading it) - "_Something went wrong while resetting customer password._" error. So I checked var/logs/system.log and noticed I have this:

`main.CRITICAL: Exception message: Too many password reset requests. Please wait and try again or contact [email protected].
Trace: #0 /var/www/magento/vendor/magento/module-security/Model/SecurityManager.php(110): Magento\Security\Model\SecurityChecker\Frequency->check(0, 'me@bla...', '10.10.2.132')

1 /var/www/magento/vendor/magento/module-security/Model/Plugin/AccountManagement.php(59): Magento\Security\Model\SecurityManager->performSecurityCheck(0, 'me@bla...')

2 /var/www/magento/vendor/magento/framework/Interception/Interceptor.php(123): Magento\Security\Model\Plugin\AccountManagement->beforeInitiatePasswordReset(Object(Magento\Customer\Model\AccountManagement\Interceptor), 'me@bla...', 'email_reminder', '2')`

I then surfed the DB tables for clues and found password_reset_request_event table and in it, the user request record was found. I deleted the record/row and did another password reset and it worked.

A bug perhaps? It should really say "_Too many resets_" and perhaps allow a way to reset the count?

HTH. Thanks!

I'm facing still issue. Any solution?

@shahankitb997 did you try all the said solutions here? Check for the password-reset limit and such?

This is an acknowledged bug, as mentioned here.

@wilcoguapa It is, but this issue is closed (and fixed, according to @sdzhepa). Shouldn't it be reopened?

@pascaladriaansen Yes it should, because the fix that @sdzhepa mentioned is not yet released, and probably will not be released soon.

I'm also having this issue.
I have Magento 2.1.3 installed and updated by composer.
on the customer_entity table the rp_token and rp_token created_at has some information as mentioned on other comments, I also think is a bug because the rp_token_created_at has a date from september 15th of 2016.

all the cron are set-up correctly. this field must be null by this time, or at least allow to request the password for the customer.
also if I try to do this from the Magento Admin this should not have a restriction of this kind.

Does anybody have a single query to delete both rp_token/token_created_at as well as if there is a matching row in password_reset_request_event if there is a row who's email address matches an above row with a value in rp_token? (I'm somewhat terrible at writing SQL queries)

answered my own question:

DELETE from password_reset_request_event where account_reference in (select distinct email from customer_entity where rp_token is not null and rp_token_created_at is not null);
UPDATE customer_entity SET `rp_token`= NULL, `rp_token_created_at`= NULL WHERE rp_token IS NOT NULL AND rp_token_created_at IS NOT NULL;

I'm adding this to a cron job to run once per hour, and I tell customers that password requests only last until the top of each hour.

@spyrule your picture gives me anxiety +1

why? I'm only updating references that actually exist. Otherwise those two rows are harmless (they don't delete without a result actually existing). I do agree, it would be preferential that the problem actually gets fixed (I really wish they would push updates as single updates for each item, instead of having to wait for major releases). So this is my work-around until this problem is properly resolved (Unfortunately, I don't have time at the moment to write a full proper extension to fix the underlying code problem).

YOUR GUTHUB AVATAR, not your solution. lol.

LOL.... oh. :) (I'll admit, its not actually me, but I found it funny as hell, makes me laugh all the time)

I had these errors even after running the above fixes.
After spending several hours trying to resolve I found that the sent password reset email worked fine in Firefox! It was only IE that was giving the errors such as Your password reset link has expired.

@maultby I can guarantee you this is not a browser issue. Emails don't get sent with frontend tech...

Can anybody confirm if this still happens in 2.1.4/5 ?

I have just encountered this bug in 2.1.4.

@sdzhepa - Can you PLEASE re-open this ticket, it needs further investigation, as this problem still persists (clearly, since people are still having this problem in 2.1.3(me), and 2.1.4(dnadle).

@eCommerceGorilla There is no difference between 2.1.4 and 2.1.5 other than copyright info in the core config files. Just an FYI.

Actually, I have to retract my assertion of it not working. I have been trouble shooting this for a few hours and located the issue not in the core but MageMonkey for Magento 2. Clean install it is working without an issue.

If anyone else is running into this ensure that MageMonkey isn't the issue.

@eCommerceGorilla Were you able to determine what was it in that extension that was causing this problem?

@spyrule No I actually didn't bother devoting any additional time to the 3rd party extension, it was faster for me to just inject MailChimp api v3 calls into the magento side of subscription events and create a controller to handle the MailChimp webhook for unsubscribes.

@eCommerceGorilla Hmmm... source code? :smiley:

INFURIATING this is. NO customers can login in anymore. They all get the same error:
"An unspecified error occurred. Please contact us for assistance."

And we can't find any error detail in any of the server logs - nor in js console. Which makes all of this ever more infuriating.

Not sure when it started, sometime after upgrading from 2.1.0 to 2.1.6.
We staged the site today and upgraded to 2.1.7 > NO JOY.

Meanwhile - the phone is ringing off the hook & we are loosing orders like crazy.

Please help

@kcsf Is this new users or existing users ?

@kcsf After disabling all 3rd party extensions are you still encountering the same issue?

Reopen this. It's been closed for 6 months and still happening.

I agree about reopening this. It happens to me with magento 2.1.7

On Jun 6, 2017 11:35 PM, "dnadle" notifications@github.com wrote:

Reopen this. It's been closed for 6 months and still happening.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/magento/magento2/issues/5260#issuecomment-306677077,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AC7uZcdJigTnKH5EKDUQG2N_zMAsSW39ks5sBhqSgaJpZM4I-e3q
.

@spyrule - problem existed for both new & existing users.
@eCommerceGorilla - yes, still existed after disabling all extensions.

In short; we solved it - after upgrading from 2.1.6 to 2.1.7 & making some changes to the database. We're going to push the changes live next Monday - and I will report back here with the solution when confirmed.

@kcsf So you solved it?

Yes, problem solved.
It appears the root of the problem was two missing columns from the "customer_entity" table. I believe the columns "somehow" didn't get created during the migration from 1.9 to 2.1.

Don't quote me, but the sql to add the missing columns went something like this:
ALTER TABLE customer_entity ADD failures_num SMALLINT( 6 ) NULL DEFAULT '0'; ALTER TABLE customer_entity ADD first_failure NULL DEFAULT '0';
If you want to be sure about it - cross-reference a the customer_entity table on a clean Mage 2.1.6 install. You should see whether or not you have what you need.

@kcsf My customer_entity table already has those columns.

I was receiving this same error everyone describes here. Then, I checked if I had postfix installed in my Ubuntu. I t was not. I then installed it in the system and configured it to site. After that error just disappeared.
Hope this can help others.
Best,
Gabriela

@gcampedelli Not having postfix installed would explain why your reset emails were not going out. The bug in question here occurs when either the admin resets a customer's password, or the customer requests a 2nd reset email before receiving or responding to the first reset email. When that happens the customer enters a state that prevents them from resetting the password. It's a bug, still present in 2.1.6, 7+ months after it was closed here.

For me it is working either way after postfix install. I went to admin >store configuration> customer > Customer configuration > passwords and I've set Max Number of Password Reset Requests to 1000 and the error has gone away so far. So, those who are asking to reopen the topic can try this method I described. Check postfix and change configuration. Let me know if it fix the issue.

Just encountered this on Magento 2.1.5.

So for me it was a 3rd party extension that didn't contain all of the proper fields in its config or system.xml file (I cannot remember at this point). For me it was the well documented Solwin extension that had a bunch of missing information. I removed it, and suddenly all of my password reset functionality worked as expected. :man_shrugging:

I am still facing issue on magento 2.1.8 We're unable to send the password reset email.

I was facing this issue in 2.2 as well, \Magento\Security\Model\SecurityChecker\Quantity and \Magento\Security\Model\SecurityChecker\Frequency are using a bad query ,

'SELECT * FROM password_reset_request_event AS main_table WHERE (request_type = '0')

AND ((ip = '127.0.0.1') OR (account_reference = '[email protected]'))

ORDER BY created_at DESC

LIMIT 1'

If you are using Varnish and take a look in table password_reset_request_event, all customers get the same ipaddress. So if there is any active passwort reset request, all others will be blocked.

I am still facing issue on magento 2.2 We're unable to send the password reset email from web and not working from REST API
http://host/magento22/rest/V1/customers/password
{
"email": "[email protected]",
"template": "reset_password",
"websiteId": 1
}

I've tracked down the "An unspecified error occurred. Please contact us for assistance." error message to LoginPost.php line 189 in Magento 2.1.9. It was being caused by a table from another module was missing. Adding $e->getMessage() to that message will output why the login is failing. I have MAGE_MODE set to developer and looked in all the logs and never seen this exception.

I have also faces this issue. I did it everything all suggestions but still faces same issue yet.. Anybody have another suggestion .. my issue is also - i have not resetting password from the admin side as well as frontend also..
Kindly give me suggestions what I do ?

set new password not working when customer want to reset in magento 2. its load the page after submit and nothing happen.
note-Always show (Please enter a new password) i have change multiple time new passwords

I am also having this issue with Magento 2.2.2, I get transactional emails as expected. However, trying to reset the customer password both through the admin or front-end both results in no email being sent. I am not seeing any errors while checking the log or submitting the reset request.

I am also having this issue. It appears to be due to website URLs that are different then the default URL.

I'm using php7.0 and am on 2.1.11

Assuming my default URL is store.domain.com and I'm logged into the admin at store.domain.com/admin and I view all customers and select a customer who is associated with store2.domain.com. I click the Reset Password button and the transactional email goes out as expected. When viewing the email, the reset password link is store.domain.com/customer/account/createpassword/ whereas I would expect the link to be store1.domain.com/customer/acccount/createpassword/

This whole process seems a bit buggy.
\Magento\Customer\Controller\Adminhtml\Index\ResetPassword::execute() loads the customer object using the customer ID passed in the request parameters and then passes the customer email to \Magento\Customer\Model\AccountManagement::initiatePasswordReset($email, $template, $websiteId)
At this point AccountManagement::initiatePasswordRest attempts to reload the customer object using the email and website ID that were passed to the method. Then with that newly built customer object, \Magento\Customer\Model\EmailNotification::passwordReminder($customer) is called.
This is where I think it is broken... EmailNotification::passwordReminder then attempts to load the storeId from storeManager->getStore()->getId(). If $storeId is still empty at this point, it then gets the store ID from the customer object.

My questions are:

1. Why not just pass the customer object to AccountManagement::initiatePasswordReset from ResetPassword::execute instead of the customer email and website ID? This would prevent having to rebuild the customer object in AccountManagement::initiatePasswordReset.

1. Why is it even attempting to load the store ID from storeManager when the customer object is available as a function argument in EmailNotification::passwordReminder?

My solution:
I overriden EmaliNotification::passwordReminder.

Original --

public function passwordReminder(CustomerInterface $customer)
{
    $storeId = $this->storeManager->getStore()->getId();
    if (!$storeId) {
        $storeId = $this->getWebsiteStoreId($customer);
    }

    $customerEmailData = $this->getFullCustomerObject($customer);

    $this->sendEmailTemplate(
        $customer,
        self::XML_PATH_REMIND_EMAIL_TEMPLATE,
        self::XML_PATH_FORGOT_EMAIL_IDENTITY,
        ['customer' => $customerEmailData, 'store' => $this->storeManager->getStore($storeId)],
        $storeId
    );
}

New --

public function passwordReminder(CustomerInterface $customer)
{
    $storeId = $this->getWebsiteStoreId($customer);

    $customerEmailData = $this->getFullCustomerObject($customer);

    $this->sendEmailTemplate(
        $customer,
        self::XML_PATH_REMIND_EMAIL_TEMPLATE,
        self::XML_PATH_FORGOT_EMAIL_IDENTITY,
        ['customer' => $customerEmailData, 'store' => $this->storeManager->getStore($storeId)],
        $storeId
    );
}

I have a different bug, which is customerId and token are always empty. I print them in public function execute() in file vendor/magento/module-customer/Controller/Account/CreatePassword.php. more details are here

https://magento.stackexchange.com/questions/212210/your-password-reset-link-has-expired-magento-2
https://magento.stackexchange.com/questions/212340/reset-password-problem-magento-2

Kindly advice.

@msliman you should open another if different.

I had same error of too many password reset requests from backend on 2.2.3. It would allow me to do one, but then no more after that. This fix worked for me: https://magento.stackexchange.com/questions/199984/password-reset-throws-something-went-wrong-while-resetting-customer-password-e