Continuing vlaromann’s Get reset password token post,
NigelG ends by stating that the token, generated by the “Send password reset email” Action, appears not to be assignable to text elements. My team and I have ran into this same situation.
Is this a bug? Something we’re missing?
Or, is this working as intended and we must send out the email with the token in the url instead?
We’re super grateful for a response or any insight someone can provide to this little muddle.
Short answer: There is no way around the password reset/password change email hokey-pokey.
I see what you’re trying to do. You’re saying, “Hey, the User is logged in. Let’s let them change their password. Let’s just snag the reset token and open the reset page with it.”
YOU CANNOT DO THIS, Bubble will not let you. This isn’t a bug, but it’s not documented in a painfully explicit way. (Though you probably didn’t read the docs such as they are anyway, amirite?)
I’m sure you also tried putting an input on the page and trying to make changes to Current User’s password. This is also, of course, something you can’t do.
Why does Bubble not allow this?
Well, whether YOU care about it or not, Bubble has deemed that the state of being logged in is not enough to confirm the User’s identity to a sufficient degree to allow a password reset.
I do not disagree with this decision. Consider:
- Stupid User uses public terminal to access app. Forgets to log out.
- Malicious person comes along, sees this and does malicious stuff as user.
- To add insult to injury (and/or to continue malicious behavior sometime later), malicious person resets password so that Stupid User cannot log in, but malicious person can.
The Reset Password > Email with Token/Link > Password Reset Page hokey-pokey is all about security.
The only allowable option seems to be to email some other account with the token (as implied by the documentation at https://bubble.io/reference#Actions.SendConfirmationEmail.page).
I also care about the reasoning. I had a feeling it was security related.
And yes, I saw this
and I kept circling the mentioned post so, I decided to reach out and gain a little deeper understanding.
Thank you for the clarity Keith!
I’m confused here. Their docs explicitly say:
This feature adds flexibility. For example, maybe you want an administrator to create an account for someone else and then email them from a personal account rather than having the user receive a system-generated email.
It says you can do what this person (and I) want to do. But then it does not work.
This topic was automatically closed after 70 days. New replies are no longer allowed.