Chapters
00:00 - Creating Our Forgot Password Page & Form
03:32 - Defining Our Forgot Password Routes
04:50 - Password Reset Send Validator
05:40 - Try Send Password Reset Email Action
08:36 - Expire Password Reset Tokens Action
09:54 - Continuing the Try Send Action
12:30 - Installing & Configuring AdonisJS Mail
14:38 - Sending Our Password Reset Email
17:14 - Forgot Password Send Route Handler
17:39 - Forgot Password Index Route Handler
19:13 - Testing Our Forgot Password Flow
19:46 - Creating Our Reset Password Page & Form
22:18 - Reset Password Route Handler
22:44 - Verify Password Reset Token Action
24:35 - Continuing Our Reset Password Handler
25:28 - Password Reset Validator
26:30 - Reset Password Action
27:27 - Reset Password Update Route Handler
28:38 - Testing Our Reset Password Flow
Forgot Password Email
You can find the complete forgot password email from this lesson, on GitHub. This email was created using maily.to.
Join The Discussion! (16 Comments)
Please sign in or sign up for free to join in on the dicussion.
mykl
Hello Tom,
First of all, thank you for all this amazing work.
I have an warning that I can't fix; in my console, I see the warning message below, even though I do have an authenticated user.
Warning message:
[Vue warn]: Invalid prop: type check failed for prop "user". Expected Object, got Undefined
at <AppLayout user=undefined errors= {} exceptions= {} ... >
at <Inertia initialPage= {
component: 'home',
version: '1',
props: {
user: undefined,
errors: {},
exceptions: {},
messages: {},
version: 6
},
If I do a console log of user, I indeed get undefined:
sharedData: {
user: async (ctx) => {
const user = ctx.auth.use('web').user
console.log(user)
return user && new UserDto(user)
},
However, if I retrieve the user this way:
const user = await ctx.auth.use('web').authenticate()
I do have my user connected. On the other hand, if I log out and return to the login page, I get the message: "The page isn't redirecting properly."
Do you have any idea what the problem is?
Please sign in or sign up for free to reply
tomgobich
For the authenticated user to be populated you must inform AdonisJS to check for it. This saves the roundtrip to populate the user in cases where it isn't needed.
To populate the user, you have two options
authenticate
- Requires an authenticated user. If an authenticated user is not found, an exception is thrown.check
- Will check to see if a user is authenticated, and populate that user if so. The request goes on as usual if an authenticated user is not found.In terms of middleware, you have three options
auth
- Will callauthenticate
and redirect the user to the login page by default if an authenticated user is not found.guest
- Will callcheck
and redirect the user, I believe to the home page, by default if an authenticated user is found.silent_auth
- Will callcheck
and progress with the request as usual.So, you're most likely getting "the page isn't redirecting properly" because your authenticate on the login page is attempting to redirect the user to the login page, resulting in an infinite redirect loop.
You most likely will want to replace your
authenticate
on the login page with theguest
middleware and that should fix the redirect loop. Then, for internal pages, you can either useauthenticate
if the user must be authenticated to access the page,check
if the user may or may not be authenticated to access the page, or one of the corresponding middleware.Please sign in or sign up for free to reply
mykl
Thank you for this quick response. So if I understand correctly, at the current stage of the course (5.6), it's normal to receive this warning message since our 'home' route doesn't have any middleware.
Please sign in or sign up for free to reply
tomgobich
Anytime! Yes, sorry, we'll move our home page into our group protected by the
auth
middleware in the next lesson (6.0). So, that warning specifically on the home page will go away in the next lesson.Please sign in or sign up for free to reply
aaron-ford
When you say we might want to add a referrer policy to this page, how do we do that?
Please sign in or sign up for free to reply
tomgobich
Hi Arron!
Great question, I now wish I would've injected this into the lesson; I think I'll make a note to do that.
The Referrer-Policy mentioned is a response header. So, in the controller rendering this page you'd add it using the HttpContext's response, like below. This is a step recommended by OWASP.
Please sign in or sign up for free to reply
aaron-ford
Thanks!
Please sign in or sign up for free to reply
tomgobich
Anytime, Aaron!!
Please sign in or sign up for free to reply
memsbdm
I just find out that when trying to reset our password with a valid token and providing a payload not satisfying the validator we don't have a form error message but we are redirected instead. I tried many times and I don't think that I missed something, I also tried on the PlotMyCourse deployed version but you disabled the mailer so I can't reproduce the error to see if you also have it or not…
Please sign in or sign up for free to reply
tomgobich
Hi memsbdm!
The mailer at plotmycourse.app is indeed still up and running, you might need to check your spam for it's email. However, I can confirm I'm having the same issue. I'm not immediately sure why this would be happening, it looks like it isn't properly returning an Inertia response from the validation handling.
I'll be able to dig into it further after work and will let you know if I find anything!
Please sign in or sign up for free to reply
memsbdm
Thanks! I will also keep trying to investigate :)
Please sign in or sign up for free to reply
tomgobich
Alrighty, was able to track down the issue! So this was happening as a side-effect to the
Referrer-Policy: no-referrer
within reset method of the forgot password controller.When we call
response.redirect().back()
, which happens on our behalf during request validation handling, it reads from thereferer
header and redirects the user back to that page. With ourReferrer-Policy
on this particular form set tono-referrer
we're telling the browser not to share that referrer with anyone. This is a security step to prevent the token from being leaked via the referrer.To properly correct this and also allow any password errors to show, we want to keep the
no-referrer
designation and instead update how we're handling our validation errors.First, let's move the password reset token into a flash message, rather than passing through the form. This will allow us to keep it out of our redirect url should we get any validation errors on submit.
Then, configure the
update
method to read the token from the flash message store instead of our form. We'll also want to manually capture and handle the validation error so we can specify where the user should be redirected to, reflashing the token so it continues to be available for us to use.Next, since our token is no longer in our data, we'll update the
ResetPassword
action to accept it separately.Then, since the token will come from our flash message store on any validation redirects and not the route params, we'll make that route parameter optional.
Lastly, since we're no longer passing the token to our page or form, we can remove it from our validator.
With all that, things should be behaving properly! Terribly sorry I missed accounting for that. The
no-referrer
was something I added in after the fact and failed to recognize it'd have that kind of impact. However, it is definitely something we want to keep.You can find the full diff of my commit for this here:
https://github.com/adocasts/building-with-adonisjs-and-inertia/commit/2f87a54cd84886e6dfffad01568153e2f8fe24a1
Please sign in or sign up for free to reply
memsbdm
Well well well, I removed
response.header('Referrer-Policy', 'no-referrer')
and it works now, it's seems like inertia is not receiving the token after the redirect().back()We probably could send a cookie before the redirect to keep the no-referrer good practice but seems a bit overkill..
Please sign in or sign up for free to reply
tomgobich
Oh hey, haha! Seems we both found the culprit around the same time! 😄
I chose to take the overkill approach in my commit & other comment, though using flash messages instead of a cookie.
Please sign in or sign up for free to reply
memsbdm
Haha nice what a clean way to solve the issue, I'll replicate these changes it is way better than my cookie idea! Thanks for your time :)
Please sign in or sign up for free to reply
tomgobich
Sure thing, memsbdm! Thank you very much for catching this!!
Just noticed I missed the validation update in my prior comment, will get that edited in now 😊
Please sign in or sign up for free to reply