-
Notifications
You must be signed in to change notification settings - Fork 232
Change password works, but spams 10000+ requests and locks the account #605
Comments
The same with me, the password was successfully changed, but many errors appear and the account is blocked by the domain policy |
I confirmed that this issue happens with v4.2.0 and v4.2.4. Using the same |
@eponerine @4arizard v4.0.0 works for me. Thank you @eponerine !!! |
@antonioi88 just push a fix, can confirm before pushing a new version? |
@geoperez I deployed the fix to my environment running v4.2.4 and appears to be working. |
Hello, I have the same issue. What should I do to resolve this problem. I'm using binary version downloaded from: Thak you in advance for any inforamtion. |
We didn't release a binary version yet, you need to compile it. I'll try to release it tomorrow. |
we are setting this behavior on a windows hosted box, we are testing with version 4.2.4 |
I was trying to use 4.0.0 version, but it seems working in the same way. When I press "Change password" nutton it send a lot of request. I don't have any idea what I configured wrong... On the same server (IIS) version 3.6.4 is working very good |
Did I understand correctly, is it fixed in the source code? How do I compile a new binary version? |
Any plans to release a new version with the fix to this issue or provide details info how to patch the existing one (via code compile)? |
Still having this issue with 4.2.4. even when manually bumping .net from 3.1 to 5.1 in the deps.json file as mentioned in another issue here |
Hi, I downgrade to release 4.2.3 with appsettings.json from 4.2.4 it works fine |
Downgrading to 4.2.3 did the trick for me as well 👍 FYI - 4.2.3. still lists |
Same here - Downgrading to 4.2.3 from 4.2.4 solved the issue for me. |
I have the latest version and I have a similar issue |
@yo2mno downgrading to |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
A downgrade to 4.2.3 was the only solution for me as well as I found no option to disable the web checks. I am running Passcore in an closed environment without internet access, and there the check by design can only fail... |
I downgraded to 3.6.4 and it works, but is of course missing some nice features. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Keepalive |
PassCore Server
Describe the bug
Change password works (takes a long time), but the account locks.
In developer tools, it is spamming 10000+ requests as soon as you click on the Change Password button.
The first request works, as the password changes.
But then it displays "you need to provide the correct password" multiple times.
Then it displays the account locked.
Note: If you want to report an issue of passcorepro, please use the proper bug report form at https://store.unosquare.com/passcorepro
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Should only make 1 request to change the password not thousands.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
appsettings.json
{
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
},
"WebSettings": {
"EnableHttpsRedirect": true
},
"AppSettings": {
// The following options for AD Provider (remove if you don't use this Provider)
"UseAutomaticContext": true, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
"RestrictedADGroups": ["Enterprise Admins"], // Set the AD groups to restrict the use of PassCore
"AllowedADGroups": ["Domain Users"], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
"IdTypeForUser": "UPN", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)
},
"ClientSettings": {
"ValidationRegex": {
"EmailRegex": "^[a-zA-Z0-9.!#$%&’+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)$",
"UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
},
"UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
"MinimumDistance": 0, //The minimum distance beetween the old and the new password, this is used to enforce the edit distance using the levenshtein distance algorithm.
"PasswordEntropy": 16, // the number of bytes of entropy to use for generated passwords
"ShowPasswordMeter": true,
"MinimumScore": 0, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
"Recaptcha": {
"SiteKey": "", // ReCAPTCHA public key: replace this! or leave empty if you don't need ReCAPTCHA
"PrivateKey": "", // ReCAPTCHA private key: replace this! or leave empty if you don't need ReCAPTCHA
"LanguageCode": "en"
},
"UseEmail": "true",
"ApplicationTitle": "Change Account Password | Self-Service Account Management Tools",
"ChangePasswordTitle": "Change Account Password",
"ChangePasswordForm": {
"HelpText": "If you are having trouble with this tool, please contact IT Support",
"UsernameLabel": "Username",
"UsernameHelpblock": "Your organization's email address",
"UsernameDefaultDomainHelperBlock": "Your organization's username",
"CurrentPasswordLabel": "Current Password",
"CurrentPasswordHelpblock": "Enter your current password",
"NewPasswordLabel": "New Password",
"NewPasswordHelpblock": "Enter a strong password. You can use this tool to help you create one; use the XKCD (random sep, pad digit), or NTLM, options.",
"NewPasswordVerifyLabel": "Re-enter New Password",
"NewPasswordVerifyHelpblock": "Enter your new password again",
"ChangePasswordButtonLabel": "Change Password"
},
"ErrorsPasswordForm": {
"FieldRequired": "This field is required",
"UsernamePattern": "Please enter a valid username",
"UsernameEmailPattern": "Please enter a valid email address",
"PasswordMatch": "Passwords do not match"
},
"Alerts": {
"SuccessAlertTitle": "You have changed your password successfully.",
"SuccessAlertBody": "Please note it may take a few hours for your new password to reach all domain controllers.",
"ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator.",
"ErrorInvalidCredentials": "You need to provide the correct current password.",
"ErrorInvalidDomain": "You have supplied an invalid domain to logon to.",
"ErrorInvalidUser": "We could not find your user account.",
"ErrorCaptcha": "Could not verify you are not a robot.",
"ErrorFieldRequired": "Fulfill all the fields.",
"ErrorFieldMismatch": "The passwords do not match.",
"ErrorComplexPassword": "Failed due to password complex policies: New password length is shorter than AD minimum password length",
"ErrorConnectionLdap": "Unhandled error connecting to the LDAP server.",
"ErrorScorePassword": "The password you are trying to set is not secure enough.",
"ErrorDistancePassword": "The password you are trying to set is not diferent enough of your last password.",
"ErrorPwnedPassword": "The password you are trying to use is publicly known and can be used in dictionary attacks."
}
}
}
The text was updated successfully, but these errors were encountered: