[CORE-5206] Password reset date_expires not properly interpreted - Blesta

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.10.1
Component/s: Client Interface, Staff Interface
Labels:
None

Description

However, it appears that the link is already expired when generated, depending on the timezone set under Settings > System > Localization. So, the TTL is actually longer for some, and expired for others.

To reproduce, set the timezone to UTC-7 (Los Angeles), generate a password reset. Note that the time stored in password_resets.date_expires is Los Angeles time + 4 hours, which is in the past if evaluated in UTC time.

I think the date_expires is set in local timezone, and evaluated in UTC. Rather, we should set it and evaluate it in UTC.

Activity

Ascending order - Click to sort in descending order

Paul Phillips created issue - 11/Jun/24 5:40 PM

Paul Phillips made changes - 11/Jun/24 5:40 PM

Field	Original Value	New Value
Rank		Ranked higher

Paul Phillips made changes - 11/Jun/24 5:43 PM

Description

When a password reset form is filled out, a record is added to password_resets table. password_resets.date_expires seems to be timezone+Blesta.reset_password_ttl (from config/blesta.php and timezone from Settings > General > Localization). Shouldn't this be UTC?

However, it appears that the link is already expired when generated, depending on the timezone set under Settings > System > Localization. So, the TTL is actually longer for some, and expired for others.

To reproduce, set the timezone to UTC-8 (Los Angeles), generate a password reset. Note that the time stored in password_resets.date_expires is Los Angeles time + 4 hours, which is in the past if evaluated in UTC time.

I think the date_expires is set in local timezone, and evaluated in UTC. Rather, we should set it and evaluate it in UTC.

When a password reset form is filled out, a record is added to password_resets table. password_resets.date_expires seems to be timezone+Blesta.reset_password_ttl (from config/blesta.php and timezone from Settings > General > Localization). Shouldn't this be UTC?

However, it appears that the link is already expired when generated, depending on the timezone set under Settings > System > Localization. So, the TTL is actually longer for some, and expired for others.

To reproduce, set the timezone to UTC-7 (Los Angeles), generate a password reset. Note that the time stored in password_resets.date_expires is Los Angeles time + 4 hours, which is in the past if evaluated in UTC time.

I think the date_expires is set in local timezone, and evaluated in UTC. Rather, we should set it and evaluate it in UTC.

Jonathan Reissmueller made changes - 13/Jun/24 2:14 PM

Sprint

5.11.0 Sprint 1 [ 201 ]

Jonathan Reissmueller made changes - 13/Jun/24 2:14 PM

Rank

Ranked higher

Abdy Franco made changes - 14/Jun/24 11:18 PM

Assignee

Abdy Franco [ abdy ]

Abdy Franco made changes - 14/Jun/24 11:18 PM

Status

Open [ 1 ]

In Progress [ 3 ]

Abdy Franco made changes - 14/Jun/24 11:30 PM

Remaining Estimate		0 minutes [ 0 ]
Time Spent		12 minutes [ 720 ]
Worklog Id	17130 [ 17130 ]

Abdy Franco made changes - 17/Jun/24 10:52 PM

Time Spent	12 minutes [ 720 ]	4 hours, 28 minutes [ 16080 ]
Worklog Id	17131 [ 17131 ]

Abdy Franco made changes - 17/Jun/24 10:52 PM

Status	In Progress [ 3 ]	In Review [ 5 ]
Resolution		Fixed [ 1 ]

Abdy Franco made changes - 19/Jun/24 10:03 PM

Time Spent	4 hours, 28 minutes [ 16080 ]	4 hours, 42 minutes [ 16920 ]
Worklog Id	17137 [ 17137 ]

Jonathan Reissmueller made changes - 20/Jun/24 1:19 PM

Status

In Review [ 5 ]

Closed [ 6 ]

People

Assignee:

Abdy Franco

Reporter:

Paul Phillips

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

11/Jun/24 5:40 PM

Updated:

20/Jun/24 1:19 PM

Resolved:

17/Jun/24 10:52 PM

Fix Release Date:

26/Jun/24

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

4h 42m

Agile

Completed Sprint:

5.11.0 Sprint 1 ended 02/Jul/24
View on Board