Password Recovery in 3.5 very Buggy

I have 3.5 installed on my server and customers are complaining that after requesting to recover passwords they are either sent an empty link or the link simply redirects to the homepage.

I have looked at the password recovery emails in the message queue for the ones that were reported to be not working, I found the links blank or copying the link to a different browser it simply redirected to homepage.  I even logged out on my main browser and entered the link, it did the same, went to homepage.

This is a serious problem for us as we have many customers browsing and placing orders online everyday. It's going to be a bigger problem if the bug continues and the same customers notice, we would like we did not sort it out.

We cannot reproduce it. Could you please provide a list of steps to reproduce it? Does it always happen?

Hi Andrei,

It happens everyday.

The steps customers take are as follows:

1. Click on 'Forgot Password' (takes you for the Password Recovery page)
2. Enter email address and click on 'Recover' button.
3. Password Recovery email is sent using the Customer.PasswordRecovery Message Template
   We have updated the standard template to suit our clients Brand. The template contains the following Html snippet

<p>Hi %Customer.FirstName%,</p>
<p>To change your password, please <a href="%Customer.PasswordRecoveryURL%">click here</a>.<br />If this link does not work, please reply to this email to let us know and we will reset it for you.</p>

4. Customer received the email. This is when the bug shows. The %Customer.PasswordRecoveryURL% token is not set.  In  some instances it has the full Url, and when the customer clicks the link, it goes to the Change Password page which redirects to the homepage.

So the bug is 2 fold and it's really weird cos when we test it, it works fine for us.

Here is the PasswordRecoverySend method from CustomerController

        [HttpPost, ActionName("PasswordRecovery")]
        [FormValueRequired("send-email")]
        public ActionResult PasswordRecoverySend(PasswordRecoveryModel model)
        {
            if (ModelState.IsValid)
            {
                var customer = _customerService.GetCustomerByEmail(model.Email);
                if (customer != null && customer.Active && !customer.Deleted)
                {
                    var passwordRecoveryToken = Guid.NewGuid();
                    _genericAttributeService.SaveAttribute(customer, SystemCustomerAttributeNames.PasswordRecoveryToken, passwordRecoveryToken.ToString());
                    _workflowMessageService.SendCustomerPasswordRecoveryMessage(customer, _workContext.WorkingLanguage.Id);

                    model.Result = _localizationService.GetResource("Account.PasswordRecovery.EmailHasBeenSent");
                }
                else
                    model.Result = _localizationService.GetResource("Account.PasswordRecovery.EmailNotFound");

                return View(model);
            }

            //If we got this far, something failed, redisplay form
            return View(model);
        }

The following snippet is from the MessageTokenProvider class

try
            {
                //changed to add in Company Name if exists
                tokens.Add(new Token("Customer.FullName", customer.GetFullName()));

                tokens.Add(new Token("Customer.FirstName", customer.GetAttribute<string>(SystemCustomerAttributeNames.FirstName)));
                tokens.Add(new Token("Customer.LastName", customer.GetAttribute<string>(SystemCustomerAttributeNames.LastName)));
                tokens.Add(new Token("Customer.VatNumber", customer.GetAttribute<string>(SystemCustomerAttributeNames.VatNumber)));
                tokens.Add(new Token("Customer.VatNumberStatus", ((VatNumberStatus)customer.GetAttribute<int>(SystemCustomerAttributeNames.VatNumberStatusId)).ToString()));
                tokens.Add(new Token("Customer.PhoneNumber", customer.GetAttribute<string>(SystemCustomerAttributeNames.Phone)));

                //address
                tokens.Add(new Token("Customer.Address1", customer.BillingAddress.Address1));
                tokens.Add(new Token("Customer.Address2", customer.BillingAddress.Address2));
                tokens.Add(new Token("Customer.City", customer.BillingAddress.City));
                tokens.Add(new Token("Customer.ZipPostalCode", customer.BillingAddress.ZipPostalCode));

                string companyName = "";
                if (string.IsNullOrEmpty(customer.GetAttribute<string>(SystemCustomerAttributeNames.Company)))
                    companyName = customer.GetFullName();
                else
                    companyName = customer.GetAttribute<string>(SystemCustomerAttributeNames.Company);

                tokens.Add(new Token("Customer.Company", companyName));

                //note: we do not use SEO friendly URLS because we can get errors caused by having .(dot) in the URL (from the email address)
                //TODO add a method for getting URL (use routing because it handles all SEO friendly URLs)
                string passwordRecoveryUrl = string.Format("{0}passwordrecovery/confirm?token={1}&email={2}", GetStoreUrl(), customer.GetAttribute<string>(SystemCustomerAttributeNames.PasswordRecoveryToken), HttpUtility.UrlEncode(customer.Email));

             string accountActivationUrl = string.Format("{0}customer/activation?token={1}&email={2}", GetStoreUrl(), customer.GetAttribute<string>(SystemCustomerAttributeNames.AccountActivationToken), HttpUtility.UrlEncode(customer.Email));
                var wishlistUrl = string.Format("{0}wishlist/{1}", GetStoreUrl(), customer.CustomerGuid);
                tokens.Add(new Token("Customer.PasswordRecoveryURL", passwordRecoveryUrl, true));
                tokens.Add(new Token("Customer.AccountActivationURL", accountActivationUrl, true));
                tokens.Add(new Token("Wishlist.URLForCustomer", wishlistUrl, true));
            }
            catch
            {
            }

I have two clients on Nopcommerce and only receiving complaints from 1 client. We have made extensive modifications to various processes, but have not touched the Password Recovery code in any way, except for the Message Template and we have added in a new notification that emails the customer when their Password has changed. The new email template only happens once they can load the Change Password page though.

I'm not sure if because it in a try catch block, the code could be breaking before it reaches formatting the Password Recovery Url?

I'm going to try remove the Recovery Url code out of the try catch block and see what happens. I can ask my client to get their customer to test it for us and see what happens.

Kind Regards,
Orion

Here is the PasswordRecoveryConfirm method from CustoemrController class. This is for the 2nd Bug to the same process.  When the link is formatted and the customer can click on it, it redirects to the Homepage.

[NopHttpsRequirement(SslRequirement.Yes)]
        public ActionResult PasswordRecoveryConfirm(string token, string email)
        {
            var customer = _customerService.GetCustomerByEmail(email);
            if (customer == null)
                return RedirectToRoute("HomePage");

            var cPrt = customer.GetAttribute<string>(SystemCustomerAttributeNames.PasswordRecoveryToken);
            if (String.IsNullOrEmpty(cPrt))
                return RedirectToRoute("HomePage");

            if (!cPrt.Equals(token, StringComparison.InvariantCultureIgnoreCase))
                return RedirectToRoute("HomePage");

            var model = new PasswordRecoveryConfirmModel();
            return View(model);
        }

1. What is your site URL?
2. Request a password recovery email. Then go to admin area > system > queued emails. Find the sent emails. Do you see a valid link in it?

Hi Andrei,

Site is www.mass-supply.co.za

When i look at the Message Queue for the Customers that have complained. The Url is invalid.

Sometimes when it is valid, it redirects to homepage.

This is the last one that redirects to homepage
http://mass-supply.co.za/passwordrecovery/confirm?token=7c0fc10a-9445-45ec-b4fb-1e96e5cec98d&email=customeremail

Note I've replaced the customers email with customeremail in above link for security reasons. is it ok to post the complete link here?

The following link is invalid for another customer
%25Customer.PasswordRecoveryURL%25

Execute the following SQL command over your database and share results

SELECT [Body] FROM [MessageTemplate]
WHERE [Name] = N'Customer.PasswordRecovery'

<p>&nbsp;</p>
<div id="':" class="ii gt m154398dbc42bf913 adP adO" style="white-space: normal; word-spacing: 0px; position: relative; text-transform: none; color: #222222; padding-bottom: 5px; direction: ltr; font: 12px arial,sans-serif; margin: 5px 15px 0px 0px; letter-spacing: normal; background-color: #f8f7f3; text-indent: 0px;">
<div id="':" class="a3s aXjCH" style="overflow: hidden;">
<div style="background-repeat: repeat; background-position: 0% 0%; margin: 0px; background-color: #595959; padding: 0px;">
<table style="table-layout: relative; background-color: #f8f7f3;" border="0" width="100%" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td style="font-family: helvetica,arial,sans-serif; min-width: 600px; margin: 0px; background-color: #595959;" align="center" valign="top">
<table style="background-color: #36322d;" border="0" width="600" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td style="font-size: 2px; font-family: arial,sans-serif; margin: 0px; line-height: 10px; background-color: #595959;" valign="top">&nbsp;</td>
</tr>
</tbody>
</table>
<table style="background-color: #36322d;" border="0" width="600" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td style="font-family: arial,sans-serif; margin: 0px;" valign="top"><a href="http://www.mass-supply.co.za/"><img class="CToWUd" style="color: #ffffff; margin-left: 0px; margin-right: 0px; border: 0px solid;" src="http://www.proactiveclothing.com/mailers/2016/Proactive-header.jpg" alt="Proactive Leading Brands - Manufactured &amp; Supplied by Mass Supply Clothing" /></a></td>
</tr>
</tbody>
</table>
<table style="background-color: #ff0000;" border="0" width="600" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td style="font-family: arial,sans-serif; width: 20px; padding-bottom: 5px; padding-top: 5px; margin: 0px;">&nbsp;</td>
<td style="font-family: arial,sans-serif; padding-bottom: 5px; padding-top: 5px; margin: 0px;">
<table border="0" cellspacing="0" cellpadding="0" align="left">
<tbody>
<tr>
<td style="font-size: 19px; font-family: helvetica,arial,sans-serif; font-weight: bold; color: #ffffff; padding-bottom: 5px; padding-top: 5px; margin: 0px; line-height: 22px;" valign="middle">Reset your password.</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" cellpadding="0" align="right">
<tbody>
<tr>
<td style="font-size: 18px; font-family: arial,sans-serif; padding-bottom: 5px; padding-top: 5px; margin: 0px; line-height: 22px;" valign="middle">
<table border="0" width="85" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td style="font-size: 13px; font-family: helvetica,arial,sans-serif; font-weight: bold; color: #ffffff; margin: 0px; padding-right: 10px;" valign="middle">&nbsp;</td>
<td style="font-size: 13px; font-family: helvetica,arial,sans-serif; font-weight: bold; color: #ffffff; padding-left: 10px; border-left: #ffffff 1px solid; margin: 0px; padding-right: 10px;" valign="middle"><a style="text-decoration: none; color: #ffffff; text-align: right;" href="http://www.mass-supply.co.za/login" target="_blank">Log in</a></td>
</tr>
</tbody>
</table>
</td>
<td style="font-size: 18px; font-family: arial,sans-serif; width: 10px; padding-bottom: 5px; padding-top: 5px; margin: 0px; line-height: 22px;" valign="middle">&nbsp;</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table style="background-color: #ffffff; margin: left;" border="0" width="600" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td style="font-size: 2px; font-family: arial,sans-serif; margin: 0px; line-height: 10px; background-color: #d20e0e;" valign="center" width="601">&nbsp;</td>
</tr>
<tr>
<td style="font-size: 2px; font-family: arial,sans-serif; margin: 0px; line-height: 10px; background-color: #d20e0e;" valign="center"><a href="http://www.proactiveclothing.com/"><img class="CToWUd" style="vertical-align: top; color: #443f39; text-align: center; margin-left: 0px; margin-right: 0px; border: 0px solid;" src="http://www.proactiveclothing.com/mailers/2016/Proactive-design-2016.jpg" alt="Proactive Clothing - PROMOTIONAL | CORPORATE | MEDICAL | WORKWEAR | SERVICE | HOSPITALITY | CHEF | BEAUTY" border="0" /></a></td>
</tr>
<tr>
<td style="font-size: 2px; font-family: arial,sans-serif; margin: 0px; line-height: 10px; background-color: #ffffff;" valign="center">&nbsp;</td>
</tr>
<tr>
<td style="font-size: 14px; font-family: helvetica, arial,sans-serif; margin: 10px; padding-left: 10px; padding-right: 10px; line-height: 22px; background-color: #ffffff; color: #333; padding-bottom: 10px;" valign="center" height="103">
<p>Hi %Customer.FirstName%,</p>
<p>To change your password, please <a href="%Customer.PasswordRecoveryURL%">click here</a>.<br />If this link does not work, please reply to this email to let us know and we will reset it for you.</p>
<p><br /> Kind regards, <br /> The<br /> <img src="http://www.mass-supply.co.za/Content/Images/uploaded/logos/Proactive_100w.jpg" alt="Proactive" /> Team!</p>
</td>
</tr>
<tr>
<td style="font-size: 2px; font-family: arial,sans-serif; margin: 0px; line-height: 10px; background-color: #ffffff;" valign="center" height="20">&nbsp;</td>
</tr>
<tr>
<td style="font-size: 2px; font-family: arial,sans-serif; margin: 0px; line-height: 15px; background-color: #ffffff;" valign="center">
<table border="0" width="55%" cellspacing="1" cellpadding="1" align="center">
<tbody>
<tr align="center">
<td><a href="https://www.facebook.com/ProactiveC/"><img class="socialmed" style="margin-left: 10px; margin-right: 10px; border: 0px solid;" src="http://www.proactiveclothing.com/mailers/2016/facebook.jpg" alt="Like us on Facebook" width="37" height="37" /></a></td>
<td><a href="https://twitter.com/Proactive_C"><img class="socialmed" style="margin-left: 10px; margin-right: 10px; border: 0px solid;" src="http://www.proactiveclothing.com/mailers/2016/twitter.jpg" alt="Follow us on Twitter" width="37" height="37" /></a></td>
<td><a href="https://www.youtube.com/channel/UCwnAGJ5yU3lMv4cItmP9F4g"><img style="margin-left: 10px; margin-right: 10px; border: 0px solid;" src="http://www.proactiveclothing.com/mailers/2016/youtube.jpg" alt="Youtube" width="37" height="37" /></a></td>
<td><a href="https://www.pinterest.com/proactive_c/"><img style="margin-left: 10px; margin-right: 10px; border: 0px solid;" src="http://www.proactiveclothing.com/mailers/2016/pinterest.jpg" alt="Pinterest" width="37" height="37" /></a></td>
<td><a href="https://www.linkedin.com/company/mass-supply-clothing"><img style="margin-left: 10px; margin-right: 10px; border: 0px solid;" src="http://www.proactiveclothing.com/mailers/2016/linkedin.jpg" alt="LinkedIn" width="37" height="37" /></a></td>
<td><a href="https://www.instagram.com/proactiveclothing/"><img style="margin-left: 10px; margin-right: 10px; border: 0px solid;" src="http://www.proactiveclothing.com/mailers/2016/instagram.jpg" alt="Instagram" width="37" height="37" /></a></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="font-size: 2px; font-family: arial,sans-serif; margin: 0px; line-height: 10px; background-color: #ffffff;" valign="center">&nbsp;</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>

Orion wrote:
I've just registered. Can you please approve my account?

Hi Andrei,

I'm just waiting for approval from my client to approve your registration.