I’ve now added the equals sign and it works, seems to work with or without it.
If a Bubble agent genuinely suggested to use that then they should resign or be sacked!! - that’s not a valid URL parameter (there’s no reset key)- the correct way to do it is very simple and is written clearly in the Bubble manual - surely a Bubble agent should understand the very basics of URL parameters.
(I suspect they didn’t say that at all, rather you’ve misinterpreted what they said! - I’d be very worried if someone from Bubble actually said that!)
I added ?=yes and it worked. I have no clue what it does or how it works though. So to confirm, this is the current link address https://mydomain.com/reset_pw?=yes&reset(Refer to step 1 …)
That literally makes no sense - the yes is doing nothing, and you’re missing the equals sign (thereore there’s a key with no value, and the key is invalid).
Are you sure it’s working (I don’t mean does the link work, of course any link will work - I mean can a user actually reset their password? - if they can there’s something wrong and I’d be worried about security there)…
Oh, there is a key, sorry I had posted a screen shot but if you scroll up can you see a blank space (my post is not there?). Anyway, the key is generated in Step 1 of the workflow… I believe Step 1 creates a token and that is sent with the email.
No, by ‘Key’ i mean the query parameter ‘key’ (I thought you said you understood query parameters)… I don’t mean the reset password token…
I’ve now added the equals sign and it works, seems to work with or without it.
Impossible (or a major bug) - that’s not how query parameters work - without the equals sign the key is not correct and there’s no value - I can’t see any possible way how the browser could interpret that and pass it correctly to your app - I think you’re mistaken there.
It’s very possible I have misinterpreted, I was trying so many things and getting a bit flustered. Here’s a ‘copy paste’ of one email I got:
Hello Darren,
I think we may be missing one more thing; do you think you could add “reset=” right in front of the token? The URL should look like this: https://mydomain.com/reset_pw?reset=1650295757027x404716276406885440.
Yes, I have reset my password several times and it works, my old password won’t work but the newly created pass logs me in.
Sorry, I see what you mean now, you’re correct that there is no key. hmm that is weird.
May be a major bug in that case. Since this could potentially be a security bug for Bubble I will spend some time tonight checking and double checking to make sure I am not making a mistake and update you here.
Yes, their response is exactly correct (as I suspected it would be). That’s exactly how you need to do it (as is also explained in the Bubble manual).
Except that didn’t work!
So, I then changed it and sent another email to them;
Darren: I got it, the solution is https://mydomain.com/reset_pw?=yes&reset
Bubble: That’s great to hear, Darren!I’m glad to hear that it’s working as intended now.
Except that didn’t work!
Strange - there must be more to it than that…
Darren: I got it, the solution is https://mydomain.com/reset_pw?=yes&reset
Bubble: That’s great to hear, Darren!
If that works then great - albeit your app seems to be riddled with strange bugs for some reason (I’m not convinced it’s actually working at all - that URL is literally meaningless… if it appears to be working for you it’s probably to do with browser caching, and I doubt it will work for anyone else. And if it does I’d be very worried about security since there’s no valid password reset token (how are you differentiating between the parameter key and value without =?), so potentially anyone could reset anyone else’s password, although I don’t think that’s possible (and what the hell does ?=yes mean?)
In any case, going back to something I said earlier…
Unless I’m missing some secret hidden method of being able to reset passwords from the index page of your app, that’s not mentioned anywhere in the manual, has never been discussed on the forum, and is completely hidden within the editor (and I’m not ruling out the possibility), you can’t do that…
So, having done some more testing (and taking another look at your app), it turns out there is a (sneaky) way to reset a password on any page of your app… and it seems you’ve already figured that out (or one of your freelancers has)…
So the reset password workflow action does not appear on any page other that the rest_pw page, but if you ‘copy with workflows’ the element (or container element) that contains the reset-password action from the reset_pw page you can ‘paste with workflows’ onto any other page of your app and it works exactly the same.
I don’t know if that’s intended behaviour or not (might be worth checking with Bubble about that - you wouldn’t want them to change it if you’re relying on it working).
In any case, once you’ve pasted the reset password action onto another page, it functions just the same as it does on the in-built reset_pw page: i.e. you need to send the reset=token parameter to the page in the URL.
Although in your case you’ll probably need to add some strange extra parameter values with no key, or keys that aren’t valid and don’t make any sense in order to get it to work 
In any case, I’m done with this thread… good luck with getting it working
I didn’t know this and I haven’t had any freelancers working on the current version. This is a new fresh project. I’m unsure what made you think I’d figured it out. I didn’t!
I cleared my cache and it still works. That aside, thank you very much for doing more testing. I will ask Bubble support if they can help because it sounds like my site has a pretty bad security flaw.
Bubble support have just confirmed that it worked for them also, ie. https://mydomain.com/reset_pw?=yes&reset[token] is resetting the password. This means it’s not an error on my part and I’ve asked them to look deeper (which they are).
The latest is that both the following work to reset the password;
I am now using the first (correct) one, but am waiting to hear back from Bubble on why/how the second works.
Update:
Bubble support tried implementing the original incorrect URL (https://mydomain.com/reset_pw?=yes&reset) in their own test app but wasn’t able to reset passwords. They asked me to revert the URL to this again but when I did it would not reset the password, either for myself or them. This is super weird because an hour ago it worked for us both.
However, I have reset it to https://mydomain.com/reset_pw?=yes&reset=[token] and that is resetting the password for me. Bubble will check from their end tomorrow to see if they ca recreate that.
At least the correct format now works https://mydomain.com/reset_pw?reset=[token] where it previously failed this morning (still unsure why).
Yes, of course that will work as that’s the correct format - although the =yes is literally doing nothing (it’s meaningless) so you can get rid of that and just use the correct URL.
The other version can not possibly work (and evidentially it’s not working for me nor for Bubble). There’s no possible way to identify the User or the reset token without the correct URL parameter, and the second version of your URL doesn’t contain the correct information.
if it appears to be working for you then there MUST be something else you’re doing to make it work (although I can’t think what that could be) as the URL you’re using does not contain any valid information about the User or reset token.
At least the correct format now works https://mydomain.com/reset_pw?reset=[token] where it previously failed this morning (still unsure why).
Most likely an invalid token.
I will remove the =yes tomorrow as it now works without (and is meaningless). It’s been a frustrating day because I tested the incorrect formatting and copy/pasted the URL’s into this thread, I have no idea why the incorrect format worked for me, or why it no longer works for me. I also don’t know why the correct URL format didn’t work but it now does, you could be right that it was an invalid token.
I know you are correct in all you say and this must be something I was doing my end, I wish I knew.
As a conclusion to this thread, I am now using the correct formatting https://mydomain.com/reset_pw?reset=[token].
‘copy with workflows’ the element (or container element) that contains the reset-password action from the reset_pw page you can ‘paste with workflows’ onto any other page of your app and it works exactly the same.
Bubble support was able to recreate this but said they did not detect any security issues and it seems everything is working as intended. Thank you again @adamhholmes for your patience with this thread and helping me resolve it.
1 Like