Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


No 'resetToken' for admin password reset



  • I followed the instructions in the Docs to reset an admin password via the command line:

    https://cloudron.io/documentation/user-management/

    The SQL query (below) does not return a reset token, that field of the table is empty.

    mysql -uroot -ppassword -e "select username, email, resetToken from box.users";

    I tried the appropriate version of https://my.example.com/api/v1/session/password/reset.html?reset_token=<token>&email=<email> for my instance with a blank token string in case the token was just an empty string and got:

    {
      "status": "Bad Request",
      "message": "Missing reset_token"
    }
    

    Any Suggestions on how to get a working token would be appreciated.


  • Staff

    You can click the "reset passwort link" button in the user listing. The paperplane icon button.


  • Staff

    @RichardJActon The docs are a bit ambiguous here but you have to first navigate to https://my.example.com/api/v1/session/password/resetRequest.html first (replace your domain name), then provide your email and reset it and then the sql command will give you the reset token.



  • @girish said in No 'resetToken' for admin password reset:

    /api/v1/session/password/resetRequest.html

    I'm also trying to reset via the command line, as per the docs.

    I managed to get a reset token - the resetToken field was originally empty, but gets populated when you browse to the log-in page and request a password reset.

    However, I cannot get to the reset.html page. Neither of these links work:

    https://my.example.com/api/v1/session/password/resetRequest.html
    
    https://my.example.com/api/v1/session/password/reset.html?reset_token=<token>&email=<email>
    

    (Using my console hostname, of course.) However, this does, suggesting I'm not pointing at the wrong host, etc.:

    https://my.example.com/api/v1/cloudron/status
    

    In both failing cases I get a 404 error. e.g.:

    Cannot GET /api/v1/session/password/resetRequest.html
    

    Seems I can't get past this. I do see emails logged as being sent in the box logs here:

    /home/yellowtent/platformdata/logs/box.log
    

    However, mail out does not work, for reasons I've yet to determine. One thing at a time, though!


  • Staff

    @wu-lee That seems quite convoluted. Where did you read this information?

    Don't mind me, it's here - https://docs.cloudron.io/user-management/#admins . I will update the docs because the documented flow is not ideal. Give me 20 minutes 🙂


  • Staff

    The dashboard login/password reset pages have since then changed, which is why you don't see those anymore.

    They do use proper REST apis now. As Girish mentioned they have to be documented though first.


  • Staff

    @wu-lee Can you try the new instructions at https://docs.cloudron.io/user-management/#admins ?



  • Thanks - trying this I get:

    root@ubuntu-2gb-hel1-2:~# sudo cloudron-support --owner-login
    Login as NULL / <redacted> . Remove /home/yellowtent/platformdata/cloudron_ghost.json when done.
    

    So I think the NULL means something didn't quite work. (The NULL is literally what I see; <redacted> is a redacted password.)

    Trying to log in as NULL plus the password fails. (Editing the file cloudron_ghost.json to have admin or superadmin instead, and then using those doesn't work either.)


  • Staff

    @wu-lee That's strange. To take a step back, have you finished your Cloudron installation and created a superadmin in the first place? If you did not, you have to go to https://<ip> address and complete the installation.

    If you did, can you check the output of:

    mysql -uroot -ppassword -e "SELECT username FROM box.users WHERE role='owner'"
    

    (You can paste the above command as-is).



  • Ok, finding and reading the cloudron-support script, I can replicate what it's doing (without the LIMIT 1)

    root@ubuntu-2gb-hel1-2:~# mysql -NB -uroot -ppassword -e "SELECT username FROM box.users WHERE role='owner' "
    mysql: [Warning] Using a password on the command line interface can be insecure.
    NULL
    wu-lee
    NULL
    NULL
    

    The problem is there are four accounts which have the role "owner", and the one I am trying to reset has the username wu-lee - but for reasons I don't know the others have no username (they were added after finishing the install, to allow other admins to log in; although I suspect they never have.)

    But it also means I guess I can edit the json file to use the username wu-lee.

    And logging in as wu-lee now works! (Although perhaps editing the file was not necessary, I've not checked that.)


  • Staff

    @wu-lee Ah good catch! I have fixed the query for the next release - https://git.cloudron.io/cloudron/box/-/commit/9b2a3d23b2f72411c89b522f8a23abdcfbe86782

    The reason others have no username is because you have invited them but they haven't logged in yet and selected a username.



  • Thanks for the quick response.

    One potential confusion I anticipate is that it picks one of the owner accounts at random, and the person doing the reset (me) might not realise/want that account. Perhaps either:

    • specifying which superadmin isn't really necessary, they could all be enabled?
    • one of them could be selected less indeterminately, perhaps the oldest?
    • or the superuser selected by the resetting user at an interactive prompt?

  • Staff

    @wu-lee The tool is not meant to be Cloudron's recommended password reset mechanism. It's the tool of last resort if the Cloudron cannot send email and the owner/superadmin of cloudron is locked out and has only ssh access. We (cloudron team) use this tool to login into our customer's servers as well so that our customers do not require giving us their password (i.e when they give us ssh access, we can now login to debug things).

    The way I see it:

    • If email is working, there is no problem. You can just go to dashboard -> password login form -> Forgot password.

    • If email is not working, if you have other superadmins, you can ask them to go to Users view and give you a password reset link. Note that giving you a password reset link does not require email to work, you can just copy the link from that dialog.

    • If email is not working and you are the only superadmin, then cloudron-support is the tool to use. This is why the logic is not super complicated in that script.

    But as you figured you can just put a json in that ghost file /home/yellowtent/platformdata/cloudron_ghost.json and that's it:

    {"username": "sometemporarypassword" }
    

    Let me know if I missed some use case.



  • Ok, that's fair enough.

    @girish said in No 'resetToken' for admin password reset:

    But as you figured you can just put a json in that ghost file /home/yellowtent/platformdata/cloudron_ghost.json and that's it:
    {"username": "sometemporarypassword" }

    However, this might be worth adding to the documentation.


  • Staff

    Done. I also made a change now where that ghost file is automatically removed after you use it once to login. Just in case, people forget to remove it.