After v5 upgrade - dbAuth: Invalid Reset Token

Hey there,

just did the upgrade to v5 following the guide here on the community forum. Now it seems that the resetPassword functionality with dbAuth is broken for me.

What is the problem

  • I completed the upgrade guide.
  • Testing the resetPassword functionality, I do get the notification with a resetPassword link, the resetToken is included in the URL and stored on my user in the database.
  • However, when I enter the site with the resetToken in the URL, the toaster “Invalid Reset Token” gets immediately displayed.
  • :thinking: This is weird, because it should find my user with that token… I can see it in prisma studio!
  • :thinking: I find it also weird that the token is just something like this 1NXg-A - not a hash, as I would expect…

How can I troubleshoot this further? I can log the token on the frontend - it’s correct. But I cannot find the place in the code where the database query is done. So I am unsure what the issue is…

Hi @AlexRoosWork

Most likely, it’s not in your code but in the FW’s code that the issue is happening:

I have the same issue but cannot confirm when it appeared first.

Ok so it comes from here:

and here feat: Change to using resetToken hash in DB (#8041) · redwoodjs/redwood@08e092f · GitHub

Not sure yet what to do, but according to the discussions you should be able to simply reset a token after your upgrade and go with it :thinking: .

Ok so apparently now the framework returns the raw version of the token only when using forgotPassword, but it gets removed if your own handler for this method is returning an object.

So to “solve” this, in my use case, I changed the forgotPassword handler to return only the resetToken, which is the raw version of it, not the hash one. I then use it for the email I send to welcome my users and whatever I need it for in the frontend.

This code has been problematic to me as it removes the resetToken if my forgotPassword handler returns a user, something I would not expect:

Is this of any help @AlexRoosWork ?

1 Like

Thank you so much for the detailed help!

What lead to the issue for me was that I was generating my own resetTokens and storing them to the database myself in the forgotPasswordOptions.

I just removed the call to nanoId and let Redwood do it’s thing. Now everything works as expected: The user that arrives in the forgotPassword already has the resetToken, which gets stored as a hash in the DB and the resetting of passwords works!

1 Like