New invited user (moderator) is getting “Sorry, that password change link is too old. Select the Log In button and use ‘I forgot my password’ to get a new link.”, even after following the instructions, and using the new link on received email. Help?
Most likely cause is some sort of errant “security” software visiting the link and doing things it shouldn’t before the user visits the link. Password change links are valid for one visit only, to prevent replay attacks. While we try to detect and work around the most common forms of “security” software doing dumb stuff, the universe is always building more ingenious idiots who then get hired into AV companies…
Not the case here (macOS, no antivirus). Would an ad blocker cause this?
What version of Discourse are you on?
Currently running v1.8.0.beta4 +12.
How are you sending invite, what are the exact steps?
The invite was sent during the install wizard. User received the email, clicked on link, got the message. Followed the message instructions, got link on email, got message again. It worked on the third time.
@eviltrout can you confirm
curl will not invalidate invites sent this way through the wizard?
Something else I’ve run into with this was the clock on the computer being used by the invitee. The time was wrong (I think it was a couple hours behind) and made it think it was an old link. Fixing the clock fixed mine.
Oh interesting I always forget to consider wrong clock issues!
Links are generated on the server using, I assume, server time. How would that affect anything? How about servers in PST, and users all around the world, for example? Either way, it only happened once, will keep an eye on it.
I haven’t looked at it but I assume there’s an adjustment for time zones. If (after the adjustment) the local time (per the users machine) indicates an old link, it would fail. But again, that’s my assumption.
In my case, I had a faulty time server on our internal network that threw off any hardwired machines. It was only users with a bad clock that had issues. Once the time was fixed (on 6 machines) the reset password process worked as expected.
I am trying to run Discourse, not an Active Directory! Cheers.
I can confirm that
cURL will not invalidate invite sent via wizard. End user will have to explicity click on “Accept Invite” button to accept the invite.