No 'resetToken' for admin password reset

nebulon

The dashboard login/password reset pages have since then changed, which is why you don't see those anymore.

They do use proper REST apis now. As Girish mentioned they have to be documented though first.

girish

@wu-lee Can you try the new instructions at https://docs.cloudron.io/user-management/#admins ?

wu-lee

Thanks - trying this I get:

root@ubuntu-2gb-hel1-2:~# sudo cloudron-support --owner-login
Login as NULL / <redacted> . Remove /home/yellowtent/platformdata/cloudron_ghost.json when done.

So I think the NULL means something didn't quite work. (The NULL is literally what I see; <redacted> is a redacted password.)

Trying to log in as NULL plus the password fails. (Editing the file cloudron_ghost.json to have admin or superadmin instead, and then using those doesn't work either.)

girish

@wu-lee That's strange. To take a step back, have you finished your Cloudron installation and created a superadmin in the first place? If you did not, you have to go to https://<ip> address and complete the installation.

If you did, can you check the output of:

mysql -uroot -ppassword -e "SELECT username FROM box.users WHERE role='owner'"

(You can paste the above command as-is).

wu-lee

Ok, finding and reading the cloudron-support script, I can replicate what it's doing (without the LIMIT 1)

root@ubuntu-2gb-hel1-2:~# mysql -NB -uroot -ppassword -e "SELECT username FROM box.users WHERE role='owner' "
mysql: [Warning] Using a password on the command line interface can be insecure.
NULL
wu-lee
NULL
NULL

The problem is there are four accounts which have the role "owner", and the one I am trying to reset has the username wu-lee - but for reasons I don't know the others have no username (they were added after finishing the install, to allow other admins to log in; although I suspect they never have.)

But it also means I guess I can edit the json file to use the username wu-lee.

And logging in as wu-lee now works! (Although perhaps editing the file was not necessary, I've not checked that.)

girish

@wu-lee Ah good catch! I have fixed the query for the next release - https://git.cloudron.io/cloudron/box/-/commit/9b2a3d23b2f72411c89b522f8a23abdcfbe86782

The reason others have no username is because you have invited them but they haven't logged in yet and selected a username.

wu-lee

Thanks for the quick response.

One potential confusion I anticipate is that it picks one of the owner accounts at random, and the person doing the reset (me) might not realise/want that account. Perhaps either:

• specifying which superadmin isn't really necessary, they could all be enabled?
• one of them could be selected less indeterminately, perhaps the oldest?
• or the superuser selected by the resetting user at an interactive prompt?

girish

@wu-lee The tool is not meant to be Cloudron's recommended password reset mechanism. It's the tool of last resort if the Cloudron cannot send email and the owner/superadmin of cloudron is locked out and has only ssh access. We (cloudron team) use this tool to login into our customer's servers as well so that our customers do not require giving us their password (i.e when they give us ssh access, we can now login to debug things).

The way I see it:

• If email is working, there is no problem. You can just go to dashboard -> password login form -> Forgot password.

• If email is not working, if you have other superadmins, you can ask them to go to Users view and give you a password reset link. Note that giving you a password reset link does not require email to work, you can just copy the link from that dialog.

• If email is not working and you are the only superadmin, then cloudron-support is the tool to use. This is why the logic is not super complicated in that script.

But as you figured you can just put a json in that ghost file /home/yellowtent/platformdata/cloudron_ghost.json and that's it:

{"username": "sometemporarypassword" }

Let me know if I missed some use case.

wu-lee

Ok, that's fair enough.

@girish said in No 'resetToken' for admin password reset:

But as you figured you can just put a json in that ghost file /home/yellowtent/platformdata/cloudron_ghost.json and that's it:
{"username": "sometemporarypassword" }

However, this might be worth adding to the documentation.

girish

Done. I also made a change now where that ghost file is automatically removed after you use it once to login. Just in case, people forget to remove it.