Reset password by email issue
Concerned version
Version: %2.0.5
Platform: Docker/CentOS 7/Nginx/llng-fastcgi-server
Summary
We've just migrated from 1.9.19 to 2.0.5 in production yesterday and today we noticed that reset password process does not work anymore.
The current process is configured this way: click on reset password link on login form > fill your email address > an email is sent with a link containing a mail_token allowing user to reset his password without specifying the old one.
So at the end of the process, on Portal's resetpwd page the following error message is shown "Abnormal error from LDAP server" after submitting your new password.
Note:
We've set a custom rule on requireToken in order to remove the CSRF token so we can curl the resetpwd page with mail parameter in the url to trigger the reset password email, but the rule only match this specific scenario, not the one I've described in this issue. Here is the rule:
requireToken: '$env->{REQUEST_URI} !~ m:^/resetpwd\?mail=.+$:'
Logs
lemonldap-user.log
[2019/08/30 10:47:31] WARN: Bad reset token
lemonldap.log
[2019/08/30 10:48:00] ERROR: Session kind mismatch : mail is not TOKEN