Invited user's password reset email has expired token


(Ted Strauss) #1

i have a brand new Discourse install. I am sending out invites to users one of them has a problem that the password-reset email has an expired link token. When I test it myself the onboarding flow works fine. Any suggestions on how to debug this?


(Ted Strauss) #2

It appears that the problem had to do with the user’s system clock. Increasing the expiry limits in site settings and resending the password reset email fixed it.


(Jeff Atwood) #3

Interesting, I always forget about the wide ranging effects of bad local system time. Good to get a periodic reminder.


(Sam Saffron) #4

What is the exact repro of the issue here?


(Jeff Atwood) #5

Do a password reset with your computer’s clock set to Feb 1 2012


(Ted Strauss) #6

As i understood the problem, it’s with the user’s clock that was set wrong, not the discourse host clock.


(Kane York) #7

Yes, which is worrying because it shouldn’t be reading the local computer’s time…


(Jeff Atwood) #8

True that implies the client is processing the embedded date in the invite. We should look into that @eviltrout.


(Robin Ward) #9

I just tried to reproduce this and it did not work. Here’s what I did:

  • Sent myself a password reset request
  • Modified by system time to be old
  • Confimred JavaScript had the correct time set in the dev console
  • Was able to reset my password

I also looked at the DB query and it seems based on server time not client time. What am I missing here to reproduce?


(Ted Strauss) #10

Sorry I don’t have a fully fleshed out bug report to give, with steps for reproducing.
My user forwarded me the screen shot, and then changing the expiry setting fixed it for that one user. If you can’t reproduce it, and it’s never been reported before, seems like not much to worry about.


(Sam Saffron) #11