You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a user clicks on an outdated/already-used password reset link (in the email they get after requesting a pw reset), the frontend (on https://<domain>/password-reset/update-password?code=<code>&email=<email>) first behaves as if this pw reset link is still valid. In other words, it shows no error, until the user enters a new pw and clicks "Change password". Only then it shows a toast with this message:
message: `There are no active verification codes where ${providerId} is ${providerUserId}`,
Suggestion: When the pw reset code is invalid, show this error as soon as the site loads.
Btw: The pw reset email also contains the code on a separate line as the pw reset link, but it's irrelevant to the user because the user is never/nowhere asked to enter this code!
To make it less confusing to the user, we could remove the code from the email. (Considering the the link in the email already contains this code in a query param.)
(And then, we could add a non linkified version of the pw reset URL on a separate line with something like "If the link above doesn't work, enter this URL manually in your browser's address bar".)
The text was updated successfully, but these errors were encountered:
Similarly, when the code has already expired when the user visits the pw reset link, it should also already show an error (instead of letting the user enter a new pw and click the button and only then showing an error).
If a user clicks on an outdated/already-used password reset link (in the email they get after requesting a pw reset), the frontend (on
https://<domain>/password-reset/update-password?code=<code>&email=<email>
) first behaves as if this pw reset link is still valid. In other words, it shows no error, until the user enters a new pw and clicks "Change password".Only then it shows a toast with this message:
t4-app/packages/api/src/auth/user.ts
Line 253 in 325b5e5
Suggestion: When the pw reset code is invalid, show this error as soon as the site loads.
Btw: The pw reset email also contains the code on a separate line as the pw reset link, but it's irrelevant to the user because the user is never/nowhere asked to enter this code!
To make it less confusing to the user, we could remove the code from the email. (Considering the the link in the email already contains this code in a query param.)
(And then, we could add a non linkified version of the pw reset URL on a separate line with something like "If the link above doesn't work, enter this URL manually in your browser's address bar".)
The text was updated successfully, but these errors were encountered: