Support Topics Documentation Slack YouTube Blog

Password Recovery expired on custom domain

Hi, happy new year!

I am setting up the password recovery via a link and every time I go to that link and try to change it (it uses a default page at the moment) it says

Cannot change password. The URL to change the password has expired. Please request the password change email again.

It seems this happens only when using a custom domain (without it, it works fine).

POST http://web.facegenius.com/api/{key}/{secret}/change_password/{token} 400 (Bad Request)

It is at the moment without a secure certificate yet, is this the problem, or is there anything else I should look into?

Thanks,
Justinas

Hi Justinas,

Happy new year to you too!

Could you please let us know your application ID and we will look into it?

Regards,
Mark

Hi @mark-piller,

Of course, it is: F2FE78BB-5D08-44FE-B074-6E7C29B49B03 . Let me know if you need any other information.

Thanks,
Justinas

Thanks, Justinas. I was able to reproduce the problem. I opened an internal ticket (BKNDLSS-20243) with an elevated priority. We will let you know when the problem is solved.

Regards,
Mark

Thanks @mark-piller,

What workaround would you suggest to implement in the meantime for using a custom domain link? Maybe redirecting to a form on my own page would work?

Thanks,
Justinas

As a temporary workaround, you can switch to the other password recovery mechanism (the email template name is User requests password recovery. With that option, the user will receive a system-generated password instead of entering their own using the form.
I estimate the problem will be fixed some time tomorrow, so the workaround will be rather brief.

Regards,
Mark

Hi @mark-piller,

Thanks for your reply. Not sure if the issue has been fixed yet, but as a workaround, I decided to implement the Password Recovery form on our own website. The only thing, I got stuck at the CORS policy issue calling password reset POST method with api.backendless.com/… URL from our own domain. Is it possible to somehow do in the way I started?

The exact error:

Access to XMLHttpRequest at ‘https://api.backendless.com/{key}/{key}/change_password/{key}’ from origin ‘https://devushwu{…}.facegenius.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Thanks,
Justinas

Hi Justinas,

The original issue has been resolved. Could you please check and confirm it is working for you?

Regards,
Mark

Hi @mark-piller,

I can confirm it is now working indeed. Thanks for a quick turnaround!

By the way, any comment on my last reply? I see that the password reset page through custom domain is not secure (HTTP), even though fixed. I wonder if such a workaround can be used for a secure HTTPS password reset?

Thanks,
Justinas

I am glad it is working for you. The reason the page is not secure when loaded via custom domain is because we do not have a certificate for your domain. Support for SSL certificates for custom domains is a feature available for the apps on the Cloud99 plan.

Regards,
Mark