Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

forgottenpassword API throws a NullPointerException after the second request #704

Open
tothf opened this issue Sep 21, 2023 · 3 comments
Open

forgottenpassword API throws a NullPointerException after the second request #704

tothf opened this issue Sep 21, 2023 · 3 comments

Comments

@tothf
Copy link

tothf commented Sep 21, 2023
edited
Loading

Describe the bug
The forgottenpassword API is crashing after second request when the user search and verification detection is complete.

To Reproduce
Steps to reproduce the behavior:

  1. Install PWM 2.0.3 war on tomcat or run PWM 2.0.6 docker image
  2. Configure MSAD or FreeIPA with OpenLDAP
  3. Configure Postgres as an External database and store all information there, including TOKENs
  4. Configure the Forgotten password module with only SMS/Email TOKEN required
  5. Enable REST service and /forgottenpassword for public use
  6. Send the first request to the forgotten password API
  7. Send a second request with the required form data and state in the request body
  8. Response will be a 5015 Internal error

Expected behavior
The third response should be METHOD_CHOICE or TOKEN_CHOICE

Screenshots
first_req
second_req

Desktop (please complete the following information):
It is in the trace log

Smartphone (please complete the following information):
N/A

Additional context
trace.log
@tothf
Copy link
Author

tothf commented Sep 21, 2023

Found a partial workaround.

Configure Forgotten Password profile:

  • Set SMS/Email Token Verification as optional
  • Set Minimum Optional Required to 1

After this the API proceeds further, sends email with TOKEN, accepts the TOKEN, removes the claimed TOKEN from DB and sends response COMPLETE with the message "The password has been changed successfully."
However the user does not get it's password changed in LDAP and no email sent with the new password either.

Attached the trace log for the last request which is sending the TOKEN in.
trace_half_success.log

@tothf
Copy link
Author

tothf commented Sep 25, 2023

... sends response COMPLETE with the message "The password has been changed successfully." However, the user did not get it's password changed in LDAP and no email sent with the new password either.

I think I've found the problem with this one here: https://github.com/pwm-project/pwm/blob/529dc0cdac9e9afa80c2627a1ea2dc141d599376/server/src/main/java/password/pwm/http/servlet/forgottenpw/ForgottenPasswordStageProcessor.java#L385C13-L385C13

When we have "Send Password" or "Send Password and expire" configured, this if statemen checks if we can reset the password or unlock the account only, then it returns with the COMPLETE state without doing anything else.

The only way to make it work is to set the Forgotten Password Action to "Allow user to type in new password". Managed to change user password via REST API with all settings configured as mentioned before.

@jrivard
Copy link
Contributor

jrivard commented Sep 25, 2023

Thanks for the detailed report. I'm not sure when I'll have time but I'll do my best to get to this soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tothf @jrivard