Rocket.chat: Password reset / recovery is broken

Created on 27 Nov 2015 · 10Comments · Source: RocketChat/Rocket.Chat

I only tested this on the server hosted by the developers of Rocket.Chat and didn't test it on my own installation.
When requesting a password reset it does send you the e-mail and it is received with no problem. However, once you hit the link in the e-mail (the one looking like this: https://demo.rocket.chat/login/#/reset-password/{long_string}) it won't load the input box which usually asks you for the new password, instead you're taken to the login screen without any apparent error.

This is the output from my developer console:
rocketchat_passwordreset

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

accounts bug

Source

k0nsl

Most helpful comment

Some of my team lost his password, I update directly the database as suggested by @tholu .

I want to share the steps I used (I installed via composer):

1.- docker exec -it rocketchat_db_1 bash (log in to the container, use the appropiate container name)
2.- mongo (enter in database)
3.- use rocketchat (change to rocketchat database)
4.- db.getCollection('users').find({ username:"Jonh"}) (find _id for user Jonh)
5.- db.getCollection('users').update({_id:"gYvyetq89wtnvEk9K"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } }) (reset John's password to 12345, use the _id obtained in step 4)
6.- quit() (quit mongo)
7.- exit (quit container)

I hope it could be useful

jjayala1 on 9 Dec 2015

👍7 ❤1

All 10 comments

I tested on my own installation and it is broken indeed. Same behavior as above, just redirects to the login screen

haceru on 28 Nov 2015

Yep I've just followed the docker installation instructions and I'm now locked out :( Forgot password just sends you back to the login screen and Rocket.Chat tells me my admin email or password is wrong (I saved it using a password manager so it can't be wrong)

bernardoflynn on 29 Nov 2015

I had the same problem with Wekan, and in my case that was because the routes configuration was done on the client only — and not the server. Not sure if that helps.

mquandalle on 29 Nov 2015

+1 Broken here as well.

See here for accessing the mongo database directly when deployed via docker:
https://github.com/RocketChat/Rocket.Chat/issues/766#issuecomment-139656453

@bernardoflynn Did you by chance enable email confirmations before being locked out? Then see the referenced comment to restore access.

tholu on 1 Dec 2015

You can manually generate a password hash like this (replace 'password') and then update the mongo database directly:

#!/usr/bin/env node

var bcrypt = require('bcrypt');
var crypto = require('crypto');
var pwd = 'password';

bcrypt.genSalt(10, function(err, salt) {
    var sha256 = crypto.createHash('sha256').update(pwd).digest('hex');
    bcrypt.hash(sha256, salt, function(err, hash) {
        // Store hash in your password DB. 
        console.log(hash);
    });
});

tholu on 1 Dec 2015

I believe this is also related to email confirmations not working as well, as they use the same url type "#" to state what is happening.

graywolf336 on 1 Dec 2015

@graywolf336
any news/update how to solve the email confirmation issue?

adrianb88 on 2 Dec 2015

@adrianb88 Not yet, if someone else doesn't do it before me this weekend I will take a look

graywolf336 on 2 Dec 2015

Just tested again with the latest docker image from 29 hours ago (previous was from 11 days ago), problem still there. @graywolf336 Thanks, that would be great!

tholu on 2 Dec 2015

Some of my team lost his password, I update directly the database as suggested by @tholu .

I want to share the steps I used (I installed via composer):

I hope it could be useful

jjayala1 on 9 Dec 2015

👍7 ❤1

Was this page helpful?

0 / 5 - 0 ratings