Password reset token issue

odesey · June 13, 2016, 3:24pm

I ran into a pretty interesting issue recently with the password reset token and string interpolation. Any help would be appreciated.

I have the following code in a file like so:

/server/password_reset.js

if (Meteor.isServer) {
    Meteor.startup(function () {
        Accounts.urls.resetPassword = function(token) {
          console.log(token)
          return Meteor.absoluteUrl(`resetpassword?token=${token}`);
        };
    });
}

Now, the console.log(token) displays the correct reset token (the one written to the user’s profile). However, the URL sent has the letters 3D at the begining of every token sent. So for example, the following URL will be sent to the user:

/resetpassword?token=3D3zdIJqH8az_Ux3KghfYla1tmkSq4NHTDA2DNGofjZPE

but the token code is actually:

3zdIJqH8az_Ux3KghfYla1tmkSq4NHTDA2DNGofjZPE

I’ve narrowed it down to the = sign. Once its added, the letters 3D are added to the URL.

Is this a bug or expected?

Thanks.

hwillson · June 13, 2016, 6:27pm

It looks like your reset URLs are being encoded somewhere along the line, since 3D is the hex code for the equals sign. If you make sure your MAIL_URL environment variable isn’t set, and fire a few test emails, what do you see when your email is dumped to standard out? If it looks okay when dumped out, then it could be your SMTP gateway (or receiving end mail client) that’s messing the URL up.

odesey · June 13, 2016, 7:47pm

You are right, I just implemented my email verification and it does the same thing. I will chase it down and see who’s doing the encoding. Thanks for the reply.